sitrans LG200 (mA/HART) LG200 (HART): 7ML1300–xxAxx–xxxx 7ML1300–xxBxx–xxxx . 2 of 18 Functional Safety for SITRANS LG200 (HART) Product Information 11/2012 – 7ML19985LC01

Functional Safety Manual November 2012

LG200 (mA/HART)sitrans

Introduction 1

General safety instructions 2

Device-specific safety instructions

3

List of Abbreviations / Acronyms

A

SITRANS

Level Instruments Functional safety for SITRANS LG200 (HART)

Ordering Number: 7ML19985LC01 11/2012

Product Information

SITRANS LG200 (HART): 7ML1300–xxAxx–xxxx 7ML1300–xxBxx–xxxx

2 of 18 Functional Safety for SITRANS LG200 (HART) Product Information 11/2012 – 7ML19985LC01

Safety Guidelines

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

Danger

indicates that death or severe personal injury will result if proper precautions are not taken.

Warning

indicates that death or severe personal injury may result if proper precautions are not taken.

Caution

with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

Caution

without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

Notice

indicates that an unintended result or situation can occur if the corresponding information is not taken into ac-count.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel

The device/system may only be set up and used in conjunction with this documentation. Commissioning and operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes in this documentation qualified persons are defined as persons who are authorized to commission, ground and label devices, systems and circuits in accordance with established safety prac-tices and standards.

Prescribed Usage

Note the following:

Warning

This device may only be used for the applications described in the catalog or the technical description and only in connection with devices or components from other manufacturers which have been approved or recommended by Siemens. Correct, reliable operation of the product requires proper transport, storage, positioning and assembly as well as careful operation and maintenance.

Trademarks

All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of liability

While we have verified the contents of this manual for agreement with the hardware and software de-scribed, variations remain possible. Thus we cannot guarantee full agreement. The contents of this manual are regularly reviewed and corrections are included in subsequent editions. We welcome all suggestions for improvement.

Copyright © SIEMENS AG 2012 Subject to change without further notice

Functional Safety for SITRANS LG200 (HART) 3 of 18 Product Information 11/2012 – 7ML19985LC01

Table of contents 1 Introduction........................................................................................................4

1.1 Safety Manual Revision History.............................................................................. 4 1.2 General ................................................................................................................. 4 1.3 Purpose of this document ...................................................................................... 4 1.4 Required documentation ........................................................................................ 4 1.5 History .................................................................................................................. 5

2 General safety instructions ...............................................................................7 2.1 Safety-instrumented system (SIS) .......................................................................... 7 2.2 Safety Integrity Level (SIL) ..................................................................................... 8

3 Device-specific safety instructions.................................................................10 3.1 Applications......................................................................................................... 10 3.2 Safety function .................................................................................................... 10 3.3 Application restrictions ......................................................................................... 11 3.4 Settings............................................................................................................... 12 3.5 Behavior in case of faults ..................................................................................... 13 3.6 Maintenance/Testing ........................................................................................... 13 3.7 Safety characteristics........................................................................................... 15

A List of Abbreviations/Acronyms .....................................................................17 A.1 Abbreviations ...................................................................................................... 17 Glossary......................................................................................................................... 18


1 Introduction

1.1 Safety Manual Revision History

Revision Document Part Number Release Date Revision Comments

1.0 7ML19985LC01 03/2008 Initial Release

1.1 7ML19985LC01 11/2012 Minor changes to sections • 2.2 Safety Integrity Level • 3.2 Safety function • 3.6 Maintenance/Testing • A.1 Abbreviations

1.2 General The following table lists all available SITRANS LG200 HART models:

Product Number

7ML1300–xxAxx–xxxx 7ML1300–xxBxx–xxxx

The term LG200 is used in the following text for all device models.

Coaxial, twin element (rod or cable), and single element (rod or cable) are the three basic configurations. The probe for use with the SITRANS LG200 should be selected as appropriate for the application. Careful selection of probe design and materials for a specific application will minimize media buildup on the probe.

1.3 Purpose of this document This document contains information and safety instructions required when using the LG200 in safety-instrumented systems.

It is aimed at system planners, plant managers, service and maintenance engineers and personnel who will commission the device.

1.4 Required documentation This document deals with the “Continuous Guided Wave Radar Measurement – SITRANS LG200 HART” exclusively as part of a safety function. This document only applies in conjunction with the following documentation:

Name Order No*

Operating Instructions for LG200 HART devices

7ML1998–5KA0x (English) 7ML1998–5KA3x (German) 7ML1998–5KA1x (French)

* The “x” in the order number represents the revision number of the Operating Instructions. Always use the latest revision, which can be obtained at the following website: http://www.siemens.com/level.

1


1.5 History This history establishes the correlation between the current documentation and the valid firmware of the device.

The documentation of this edition is applicable for the following firmware:

Safety Manual Edition

Firmware identification type plate

System integration Installation path for PDM

Rev. 1.0 Rev. 1.1 FW: from Rev. 3.0m0 From PDM V 6 SP2 Sitrans_LG200

Valid FW versions will be specified in the Functional Safety Declaration.

The most important changes in the documentation when compared with the respective previous edition are given in the following table:

Safety Manual Edition

Comment

Rev. 1.0 Safety manual order #: 7ML19985LC01

Rev. 1.1 Safety manual order #: 7ML19985LC01 Minor changes to sections • 2.2 Safety Integrity Level • 3.2 Safety function • 3.6 Maintenance/Testing • A.1 Abbreviations Updated Figure 2-1


More information Information

The contents of these instructions shall not become part of or modify any prior or existing agreement, commitment, or legal relationship. All obligations on the part of Siemens AG are contained in the respective sales contract which also contains the complete and solely applicable warranty conditions. Any statements contained herein do not create new warranties or modify the existing warranty.

The content reflects the technical status at the time of printing. We reserve the right to make technical changes in the course of further development.

Siemens regional offices

If you need more information or have particular problems which are not covered sufficiently by the operating instructions, contact your local Siemens Regional Office. You will find the address of your local Siemens Regional Office on the Internet at https://www.siemens.com/processinstrumentation under the tab Contacts.

Product information on the Internet

The Operating Instructions are on the supplied CD and is also available on the Siemens Level homepage on the Internet: www.siemens.com/level

On the supplied CD, you will also find the product catalog sheet containing the ordering data, the Device Install software for SIMATIC PDM for subsequent installation, and the generic station description (GSD).

See also

Siemens Regional Offices (https://www.siemens.com/processinstrumentation) under the tab Contacts.

Product information and Operating Instructions on the Internet (http://www.siemens.com/level)


2 General safety instructions

2.1 Safety-instrumented system (SIS)

Description An instrumented system used to implement one or more safety instrumented functions. A SIS is composed of any combination of sensor, logic solvers or control systems (PLCs), and final elements.

Control system

Figure 2-1: Example of a safety-instrumented system

2


Device operation The SITRANS LG200 Guided Wave Radar Level Transmitter is a loop-powered, 24 V DC level transmitter, based on Guided Wave Radar technology. For Safety Instrumented Systems usage, it is assumed that the 4 to 20 mA output is used as the primary safety variable. The analog output meets NAMUR NE 43 (3.8 to 20.5 mA usable). The transmitter contains self-diagnostics and is programmed to send its output to a user-selected failure state, either low or high upon internal detection of a failure.

Theory of operation Guided Wave Radar is based upon the principle of TDR (Time Domain Reflectometry). TDR utilizes pulses of electromagnetic energy transmitted down a probe. When a pulse reaches a surface that has a higher dielectric than the air/vapor in which it is traveling, the pulse is reflected. An ultra high-speed timing circuit precisely measures the transmit time and provides an accurate level measurement.

The SITRANS LG200 is classified as a Type B device according to IEC61508.

2.2 Safety Integrity Level (SIL)

Definition: SIL The international standard IEC 61508 defines four discrete Safety Integrity Levels (SIL) from SIL 1 to SIL 4. Each level corresponds to the probability range for the failure in a safety function.

The higher the level of safety integrity of the safety-related system, the lower the probability that the safety-related system will fail to carry out the required safety function.

The achievable SIL is determined by the following safety characteristics:

• Average probability of dangerous failure of a safety function in case of demand (PFDAVG)

• Hardware fault tolerance (HFT) • Safe failure fraction (SFF)

Description The following table shows the dependency of the SIL on the “average probability of dangerous failures of a safety function of the entire safety-instrumented system” (PFDAVG). The table deals with “Low demand mode,” i.e. the safety function is required to act a maximum of once per year on average.

Table 2-1 Safety Integrity Level

SIL PFDAVG

4 10-5 ≤ PFDAVG < 10-4

3 10-4 ≤ PFDAVG < 10-3

2 10-3 ≤ PFDAVG < 10-2

1 10-2 ≤ PFDAVG < 10-1


The “average probability of dangerous failures of the entire safety instrumented system” (PFDAVG) is normally split between the three subsystems in the following figure.

Figure 2-2 Example of PFD distribution

The table below shows the achievable Safety Integrity Level (SIL) for the entire safety-instrumented system for type B systems depending on the safe failure fraction (SFF) and the hardware fault tolerance (HFT). Type B systems include analog transmitters and shut-off valves with complex components, e.g. microprocessors (see also IEC 61508, Section 2).

HFT SFF 0 1 2

< 60 % Not allowed SIL 1 SIL 2 60 to 90 % SIL 1 SIL 2 SIL 3 90 to 99 % SIL 2 SIL 3 SIL 4 > 99 % SIL 3 SIL 4 SIL 4

The achievable SIL is also constrained by the integrated set of techniques and measures used to ensure Systematic Safety Integrity, or avoidance of failures in design.

Sensor e.g guided wave radar level instrument

< 35% < 15% < 50%

Final control-ling element e.g. valve

Control system or logic unit e.g. PLC

PFDAVG component


3 Device-specific safety instructions

3.1 Applications The Hardware assessment of the SITRANS LG200 shall provide the safety instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511 and does not include an assessment of systematic safety integrity (software and development process).

The SITRANS LG200 satisfies the safety integrity requirements up to SIL 2 in accordance with IEC 61508 and IEC 61511-1.

3.2 Safety function The analog output 4 to 20 mA (NAMUR) may be used as part of a safety instrumented function (SIF). A dangerous failure is defined as a deviation of the output current from the actual measurement of ±2% of full span.

Warning

The settings and conditions listed in the “Settings” and “Safety characteristics” sections of this document must be met for the safety function specification to be valid.

If the device indicates a diagnostic failure, the system must be brought to a failsafe state, or the device shall be repaired within the Mean Time To Restoration (MTTR). The base of this PFD calculation is a MTTR of 8 hours.

The Failure Rates, SFF, and PFDAVG published in the SIL Declaration of Conformity are only valid for 10 years of operation.

Reference LG200 Operating Instructions (Chapter 1.4)

See also Settings (Chapter 3.4 )

Safety characteristics (Chapter 3.7)

3


3.3 Application restrictions Systematic Limitations

The following must be observed to avoid systematic failures.

Application

Choosing the proper Guided Wave Radar (GWR) probe is the most important decision in the application process. The probe configuration establishes fundamental performance characteristics. Coaxial, twin element (rod or cable), and single element (rod or cable) are the three basic configurations. The probe for use with the LG200 should be selected as appropriate for the application. Careful selection of probe design and materials for a specific application will minimize media buildup on the probe.

Environmental

See Operating Instructions for Environmental limitations.

Skill level of Personnel

Personnel following the procedures of this safety manual should have technical expertise equal to or greater than that of a qualified Instrument Technician.

Necessary Tools

Following are the necessary tools needed to carry out the prescribed procedures:

• Open-wrenches or adjustable wrench to fit the process connection size and type.

o Coaxial probe 1½” (38 mm)

o Twin Rod probe 1 7/8” (47 mm)

o Transmitter 1½” (38 mm)

o Torque wrench is highly desirable

• Flat-blade screwdriver

• Cable cutter and 3/32” (2.5 mm) hex wrench (7ML1304-1, 7ML1304-2, 7ML1302-2, 7ML1302-3 Flexible probes only)

• Digital multimeters or digital volt/ammeter

• 24 V DC power supply, 23 mA minimum

Storage

The device should be stored in its original shipping box and not be subjected to temperatures outside the storage temperature (-50 °C to +80 °C) shown in the SITRANS LG200 Operating Instructions (Chapter 1.4).

Installation

Refer to the SITRANS LG200 Operating Instructions for proper installation instructions.

Refer to the Password Protection section in the SITRANS LG200 Operating Instructions for information on the use, changing, and resetting of the password protection function.


Refer to the Parameter chapter in the SITRANS LG200 Operating Instructions for menu selection items for configuration of the transmitter as a level sensing device.

See Section 3.4 for Configuration recommendations.

This SIL evaluation has assumed that the customer will be able to acknowledge an over- or under-current condition via the Logic Solver.

3.4 Settings Configuration

The SITRANS LG200 can be configured via the local display or via the HART compatible handheld terminal or personal computer.

Configuration for Overfill Protection

Ensure the parameters have been properly configured for the application and probe.

Special consideration should be given to the following configuration parameters:

DIELECTRIC: Ensure this is set to 1.4 - 1.7 for propane and butane or 1.7 - 3.0 for the majority of hydrocarbon applications.

FAULT: Do NOT choose HOLD for this parameter as a Fault will not be annunciated on the current loop.

BLOCKING DISTANCE: this value MUST be Zero for SIL applications. Consult Factory before making any changes.

THRESHOLD: set to FIXED if this is a hydrocarbon application with any possibility of water bottoms.

PASSWORD: should be changed to a specific value other than Zero. See Write Protecting/Locking below.

Write Protection/Locking

The SITRANS LG200 is password protected with a numerical password between 0 (Default = 0 = Password disabled) and 255. After the password has been successfully entered, an exclamation mark (!) appears as the last character on the first line of the display.

Refer to the Parameter chapter in the SITRANS LG200 Operating Instructions for information on password protection.

Write Enabling/Unlocking

Ensure an exclamation mark (!) appears as the last character on the first line of the display to confirm the password has been accepted.

Refer to the Parameter chapter in the SITRANS LG200 Operating Instructions for information on password protection.

When alterations to the system are complete, ensure the menu has been locked with the password to prevent inadvertent changes to the device.

Site Acceptance Testing

To ensure proper operation after installation and configuration, a site acceptance test should be completed. This procedure is identical to the Proof Test Procedure described in Section 3.6.


Recording Results

Results of Site Acceptance Testing must be recording for future reference.

Reference SITRANS LG200 Operating Instructions (Chapter 1.4)

Protection against configuration changes After configuration, the LG200 must be protected against unwanted and unauthorized changes/operation. The user password must be set to anything other than 0 (zero).

Checking the safety function after installation After installation of the SITRANS LG200, a safety function proof test must be carried out (see Chapter 1.1).

When performing this test, measurement must be verified to be within a range of ±2% (full span) of the expected result.

3.5 Behavior in case of faults

Fault The procedure in case of faults is described in the device Operating Instructions.

Repairs Defective devices should be sent to the Repair Department with details of the fault and the cause. When ordering replacement devices, please specify the serial number of the original device. The serial number can be found on the nameplate.

See also Services & Support (http://www.siemens.com/automation/services&support)

Partner (http://www.automation.siemens.com/partner)

3.6 Maintenance/Testing

Interval We recommend that the functioning of the level transmitter be checked at regular intervals of one year.

Diagnostics Internal diagnostic testing does a complete cycle 6 times per second (1 every 167 mS). A message will appear and the Output current will be driven to 3.6 or 22 mA (customer dependent) upon detection of a Fault.


Troubleshooting Report all failures to Siemens.

Refer to the SITRANS LG200 Operating Instructions for troubleshooting device errors.

• As there are no moving parts in this device, the only maintenance required is the proof test.

• Firmware can only be upgraded by factory personnel.

Functional safety proof test Introduction Following are the procedures utilized to detect Dangerous Undetected (DU) failures. The procedure will detect approximately 97% of possible DU failures in the 7ML1300–xxAxx–xxxx, and 94% of failures in the 7ML1300–xxBxx–xxxx.

The Internet Product Page (www.siemens.com/lg200) will be used to communicate additional Safety Information, and should be checked regularly.

Interval To maintain the Safety Integrity Level of a Safety Instrumented System, it is imperative that the entire system be tested at regular time intervals (TI in the appropriate standards). The SIL for 7ML1300 is based on the assumption that the End User will carry out these tests and inspection at least once (1x) per year. The onus is on the owner/operator to select the type of inspection and the time period for these tests.

The system check must be carried out to prove that the overfill protection functions meet the IEC specification and result in the desired response of the safety system as a whole.

This system check can be guaranteed when the response height is approached in the filling process though if this is not practical, a suitable method of simulating the level of the physical measurement must be used to make the level sensor respond as if the fill fluid were above the alarm/set point level. If the operability of the sensor/transmitter can be determined by other means that exclude all fault conditions that may impair the normal functions of the device, the check may also be completed by simulating the corresponding output signal of the device.

Recording results Results of the Proof test should be recorded for future reference.

Proof Test Procedure A suggested proof test is described below. This test will detect approximately 97% of possible DU failures in 7ML1300–xxAxx–xxxx and 94% of failures in the 7ML1300–xxBxx–xxxx of the SITRANS LG200 Guided Wave Radar Level Transmitter.

1. Bypass the safety PLC or take other appropriate action to avoid a false trip.

2. Send a HART command to the transmitter to go to the high alarm current output and verify that the analog current reaches that value.

This tests for compliance voltage problems such as low power supply voltage or increased loop wiring resistance. This also tests for other possible failures in the current loop circuitry.


3. Send a HART command to the transmitter to go to the low alarm current output and verify that the analog current reaches that value.

This tests for possible quiescent current related failures.

4. Remove level from the probe. The Status parameter should say “Dry Probe” and the level reading should be equal to the value in the “Level Offset” parameter.

5. Perform a two-point calibration check of the transmitter by applying level to two points on the probe and compare the transmitter display reading and the current level value to a known reference measurement.

6. If the calibration is correct, the proof test is complete. Proceed to Step 11.

7. If calibration is incorrect, remove the transmitter and probe from the process. Inspect the probe for buildup or clogging. Clean the probe if necessary.

Perform a bench calibration check by shorting the probe at two points. Measure the level from the bottom of the probe to the points and compare to the transmitter display and current level readings.

8. If the calibration is off by more than 2%, call the factory for assistance.

9 If the calibration is correct, the proof test is complete. Proceed to step 10.

10. Re-install the probe and transmitter.

11. Restore the loop to full operation.

12. Remove the bypass from the safety PLC or otherwise restore normal operation.

3.7 Safety characteristics Specific SITRANS LG200 Model

7ML1300–xxBxx–xxxx 7ML1300–xxAxx–xxxx SIL SIL 2 SIL 1 HFT 0 0 SFF 91.0% 84.5%

PFDavg 4.69E-04 8.06E-04

Proof Test Interval Annually (refer to table below for other periods)

Annually (refer to table below for other periods)

Proof Test Interval (months) PFD avg. (SIL 2) PFD avg. (SIL 1)

0 0.00E+00 0.00E+00 6 2.37E.04 4.05E-04

12 4.69E-04 8.06E-04 18 7.02E-04 1.21E-03 24 9.34E-04 1.61E-03 30 1.17E-03 2.01E-03 36 1.40E-03 2.41E-03 48 1.86E-03 3.21E-03 60 2.33E-03 4.01E-03 72 2.79E-03 4.81E-03 84 3.26E-03 5.62E-03 96 3.72E-03 6.42E-03

108 4.18E-03 7.22E-03 120 4.65E-03 8.02E-03


PFD Graph

See also Settings (Chapter 3.4)

SIL Declaration of Conformity on the Internet Product Page (www.siemens.com/lg200). Go to Support > Approvals / Certificates.

PFDAVG(t) SITRANS LG200


A List of Abbreviations/Acronyms

A.1 Abbreviations Abbreviation

Full term in English Meaning

FIT Failures in Time Failure rates have the dimension one over time. Failure rates are specified in FIT (Failures in Time), i.e., the number of failures in 109 component hours.

HFT Hardware Fault Tolerance Hardware fault tolerance: Capability of a function unit to continue executing a required function in the presence of faults or deviations.

MooN "M out of N" voting Safety instrumented system, or part thereof, made up of “N” independent channels, which are so connected, that “M” channels are sufficient to perform the safety instrumented function. Example: Pressure measurement: 1oo2 architecture. A safety instrumented system decides that a specified pressure limit has been exceeded if one out of two pressure sensors reaches this limit. In a 1oo1 architecture, there is only one pressure sensor.

MTBF Mean Time Between Failures Average period between two failures. MTTR Mean Time To Restoration Average period between the occurrence of a fault on a device

or system and the repair. PFD Probability of Failure on

Demand Probability of dangerous failures of a safety function on demand.

PFDAVG Average Probability of Failure on Demand

Average probability of dangerous failures of a safety function on demand.

PLC Programmable Logic Controller SFF Safe Failure Fraction Proportion of safe failures: Proportion of failures without the

potential to bring the safety instrumented system into a dangerous on no permissible functional status.

SIF Safety Instrumented Function A portion of a safety instrumented system consisting of a sensor, logic solver/PLC and final element used to reduce the risk of occurrence of one hazardous event.

SIL Safety Integrity Level The international standard IEC 61508 defines four discrete Safety Integrity Levels (SIL 1 to SIL 4). Each level corresponds to a range of probability for failure of a safety function. The higher the Safety Integrity Level of the safety-instrumented system, the lower the probability that it will not execute the required safety functions.

TI Proof Test Interval Interval at which the test to reveal undetected faults is performed.

A


Glossary

Dangerous failure Failure with the potential to bring the safety-instrumented system into a dangerous or non-functional status.

Example:

The measurement device reports a value 10% below the actual value, preventing the safety function from acting on a value, which is too high.

Low Demand Mode The frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof-test frequency.

Safety function Defined function of a device or system with the objective of achieving or maintaining a safe state of a system taking into account a defined dangerous occurrence.

Example:

Level/pressure/temperature measurement using 4 to 20 mA output.

Safety Integrity Level SIL

Safety-instrumented system A safety-instrumented system excludes the safety functions that are required to achieve or maintain a safe status in a system. It consists of a sensor, logic solver/ control system (PLC) and final element.

Definition: Safety Instrumented Function (SIF) A portion of a safety instrumented system consisting of a sensor, logic solver/ control system (PLC) and final element used to reduce the risk of occurrence of one hazardous event.

Example:

A safety PLC will close a valve if the measured value exceeds a specified value.

SIL The international standard IEC 61508 defines four discrete Safety Integrity Levels (SIL) from SIL 1 to SIL 4. Each level corresponds to the probability range for the failure of a safety function. The higher the SIL of the safety-instrumented system, the higher the probability that the required safety function will work.

The achievable SIL is determined by the following safety characteristics:

• Average probability of dangerous failure of a safety function in case of demand (PFDAVG)

• Hardware fault tolerance (HFT) • Safe failure fraction (SFF)

www.siemens.com/level

Siemens AGIndustry Sector1954Technology Drive, P.O. Box 4225Peterborough, ON, Canada K9J 7B1Tel: (705) 745-2431 Fax: (705) 741-0466Email: [email protected] *7ml19985LC01* Rev. 1.1

Siemens AG 2012Subject to change without prior notice

Printed in Canada

Documents

sitrans LG200 (mA/HART) LG200 (HART): 7ML1300–xxAxx–xxxx 7ML1300–xxBxx–xxxx . 2 of 18 Functional Safety for SITRANS LG200 (HART) Product Information 11/2012 – 7ML19985LC01