7/29/2019 SIL Transmitters Configuration

1/4

ABB SACE S.p.A.Business Unit Instrumentation

Me

ters

Red sheet

Sa

fety

Safety

Safety concept

Safety is:

The protection of human lives, the environment and essentialequipment

Safety systems :

in case of plants that present an intolerable level of Hazard ri sk due to

certain process conditions, external risk reduction facilities like ESD orSIS may be used. Transmitters play an important role in these systems.

Applications

Emergency shutdownFire & gas protectionBurner management

Rotating machineryInterlocksRemedial Action Schemes for Power Distribution

Launch Control Systems

Customer benefits

Equivalent safety performances but different costs for :

7/29/2019 SIL Transmitters Configuration

2/4

ABB SACE S.p.A.Business Unit Instrumentation

Me

ters

Red sheet

Sa

fety

Safety

Integrity

Level

Low Demand Mode of

OperationProbability of failure to perform its design

function on demand

Cont/High Demand Mode of

Operation

Probability of a dangerous failure per year

SIL 4 >=10-5

to =10-5

to =10-4

to =10-4

to =10-3

to =10-3

to =10-2

to =10-2

to

7/29/2019 SIL Transmitters Configuration

3/4

ABB SACE S.p.A.Business Unit Instrumentation

Me

ters

Red sheet

Sa

fety

Safety Standard

?s Safe failure 295 FIT 144 FIT

?d Dangerous failure 706 FIT 344 FIT?sd Safe detected failure 134 FIT

?su Safe undetected failure 160 FIT?dd Dangerous detected failure 669 FIT 260 FIT

?du

Dangerous undetected failure 37 FIT 83 FITDont care 181 FIT 134 FIT

DC Diagnostic Coverage 94,88 %

SFF Safe Failure Fraction 96,73 % 82,73 %

What do the manufacturers offer?

These days most end user require to the Contractors to build the plants choosing components that assurecertain safety (SIL) level. In addition to that it is required a low level of spurious failure, i.e. when the plant isshut down because of a failure of the transmitter. In order to c ompare the transmitters are necessary theHARDWARE FAILURE RATES (lambda), three level of information are today offered.

Improved level

An improvement of the basic level is to have thesame data CERTIFIED BY A THIRD

AUTHORIZED BODY, such as TV or similar.

This gives the customer the confidence that thefailure data are properly calculated, but THIS ISNOT A SIL 2 CERTIFICATION as clear specify in

the body report.

When you have to deal with human integrity etc, isthat the device must be built in such a mode that... tolerates one fault without creating risk for ....The declarations clearly says HFT (Hardware FaultTolerance) is 0 and, it does not even mentionsoftware fault tolerance.

SIL 2 certified instrument

It meets reliability and safety parameters

The data are certified

The complete instrument is certified

The internal software is redundant

It is one fault tolerant

It is manufactured according to acertified process

Basic level

The manufacturer makes a unilateraldeclaration of safety data (performances).

The customer has not assurance about the

correct calculation of these data.

Note: the table shows the 2600T safety data.

7/29/2019 SIL Transmitters Configuration

4/4

ABB SACE S.p.A.Business Unit Instrumentation

Me

ters

Red sheet

Sa

fety

A safety transmitter increases safety, but

consider spurious failures

Often two instrument are used in parallel, tinorder to meet the Hardware Fault Tolerance(HFT) required for SIL loops. But in this wayalso the probability of spurious failures isdoubled.

Instead, a single safety transmitter hasredundancy and self -diagnostic to meet theHFT requirements, and also spurious failuresare lower if compared to two instruments, buthigher than a normal pressure transmitter.

Additional remarks

What other should the end user remember?

The safety transmitter are not to be installed everywhere,but in safety loops they provide considerable savings whileassuring equivalent performances.

The safety transmitter has the same maintenancefrequency of a standard one.

How can you avoid that safety turns into reduced plant

profitability?

In order to avoid spurious plant shut down, some user install anadditional third transmitter shutting down only when twotransmitters ask it (2 out of 3). In this case spurious shut do wnare greatly decreased.

This solution has the same performances of two Safety

transmitters in parallel, this allows not to stop the plant in c ase ofa spurious failure thank to the signal of the one that says it srunning properly. In fact if one fault develops in one transmitt er

only, it is clearly an internal one. In other words the one thatworks has no fault and delivers the right measure.

Then the user can disconnect the faulty one and check what hashappened, without loosing plant operation

Again two safety transmit ters are less expensive than treestandard ones.