Endress+Hauser Proline Promag 50, Proline Promag 53 Handbuch Seite 13


Proline Promag 50, 53
The electromagnetic flow measuring system PROMAG 50/53 is considered to be a Type B
sub-system with a hardware fault tolerance of 0.
Type B sub-systems with a SFF of 60% to < 90% must have a hardware fault tolerance of 1
according to table 3 of IEC 61508-2 for SIL 2 (sub-) systems.
As the electromagnetic flow measuring system PROMAG 50/53 is supposed to be a
proven-in-use sub-system, an assessment of the hardware with additional proven-in-use
demonstration was carried out. Therefore according to the requirements of IEC 61511-1 First
Edition 2003-01 section 11.4.4 and the assessment described in section 6 a hardware fault
tolerance of 0 is sufficient for SIL 2 sub- systems being Type B sub-systems and having a SFF
of 60% to < 90%.
The proven-in-use investigation was based on field return data collected and analyzed by
Endress+Hauser Flowtec AG.
According to the requirements of IEC 61511-1 First Edition 2003-01 section 11.4.4 and the
assessment described in section 6 the device is suitable to be used, as a single device, for
SIL 2 safety functions. The decision on the usage of proven-in-use devices, however, is always
with the end-user.
Endress+Hauser Flowtec AG performed a qualitative analysis of the mechanical parts of the
electromagnetic flow measuring system PROMAG 50/53 (see [D7]). This analysis was used by
exida to calculate the failure rates of the sensor elements using exida‘s experienced-based
data compilation for the different components of the sensor elements (see [R1]). The results of
the quantitative analysis were used for the calculations described in sections 5.1 to 5.6.
Assuming that the application program in the safety logic solver is configured to detect under-
range and over-range failures and does not automatically trip on these failures, these failures
have been classified as dangerous detected failures. The following tables show how the above
stated requirements are fulfilled.
Table 2: Summary for the worst case version – Failure rates
Failure category
Fail Dangerous Detected
Fail Dangerous Undetected
No Effect
Not part
1
Type B sub-system:
2
It is assumed that practical fault insertion tests can demonstrate the correctness of the failure effects assumed
during the FMEDAs.
3
“indirectly” means that these failure are not necessarily detected by diagnostics but lead to either fail low or fail high
failures depending on the transmitter setting and are therefore detectable.
exida.com
©
Stephan Aschenbrenner
Endress+Hauser
Fail dangerous detected (internal diagnostics or indirectly
Fail high (detected by the logic solver)
Fail low (detected by the logic solver)
Annunciation detected
Fail dangerous undetected
Annunciation undetected
“Complex” sub-system (using micro controllers or programmable logic); for details see
7.4.3.1.3 of IEC 61508-2.
GmbH
2
Failure rates (in FIT)
3
) 598
7
140
11
285
10
e+h 06-02-03 r039 v1 r1.doc, October 4, 2006
1
756
295
265
194
Page 3 of 4
SIL2-50-53-Manag-Summary-Page3
13