8.11 Safety requirement allocation
Each safety function, with its associated safety integrity
requirement, shall be allocated to the designated safety related
systems taking into account the risk reductions achieved by the
other technology safety-related systems and external risk
reduction facilities, so the necessary risk reduction for that
safety function is achieved.
The allocation indicated shall be done in such a way that all
safety functions are allocated and the safety integrity
requirements are met for each safety function.
8.12 Safety routines
Safety additional requirements may be defined in order to
ensure the correct functionality of sequences in the Safety
Instrumented System.
8.13 Commissioning
8.13.1 Overall system functionality
The activity to validate the required safety functionality of the
system together with the pressure transmitter according to the
Safety Requirement Specification is the Pre-Startup
Acceptance test.
8.13.2 Faults outside the functional safety
The redundant algorithms and the electronics are designed to
detect all the internal hardware faults therefore the transmitter
diagnostic is not able to detect faults related to the process
and to the installation configuration. In the following table the
known weaknesses resulting from the transducer FMEA
(Failure Mode and Effect Analysis) are listed.
— Assembled material at the pipes of the transmitter,
blockage of pipe.
— Application outside specified temperature range.
— Excess of temperature
— Assembled gas at the transmitter, if the transmitter is
mounted above the process line
— Overload pressure, high peak pressure pulses in process
lines
— Penetration of hydrogen, diaphragm crack in applications
with hydrogen process medium.
— Thin walled diaphragm, leaky diaphragm in applications
with abrasive medium.
— Thin walled diaphragm, leaky diaphragm in applications
with corrosive medium.
— Higher diaphragm stiffness, crack in application with
contamination of metal ions
— Mechanical damage through cleaning, damage of the
coating, corrosion.
8.13.3 Other considerations
The alarm levels of the transmitter (down-scale or up-scale) can
be selected by the user. As default all the 266 devices are
configured with up-scale alarm. For some faults (e.g. crystal
breakdown), the output will latch at 3.6 mA even if the up scale
alarm level is selected.
8.14 Architecture description and principle of
operation
The instrument consists of two main functional units:
— Primary unit
— Secondary unit
The pressure transducer unit includes the process interface,
the sensor and the front-end electronics; the Secondary Unit
includes the electronics, the terminal block and the housing.
The two units are mechanically coupled by a threaded joint.
8.15 Principle of operation
The principle of operation is as follows. In the primary unit the
process fluid ( liquid, gas or vapour ) exerts pressure on to the
sensor via flexible, corrosion-resistant isolating diaphragms and
capillary tubing containing the fill fluid.
As the sensor detects the pressure changes, it simultaneously
produces variations of the primary physical value depending on
the sensor technology (capacitive, inductive or piezoresistive).
The signal is then converted in the front-end electronics in a
digital form and the raw values are computed by a
microcontroller to a precise primary output linearization,
compensating for the combined effects of sensor non linearity,
of static pressure and temperature changes on the basis of the
"mapped" parameters calculate in the manufacturing process
and stored in the memory of the Front End electronics.
Calculations follow independent flows and they are compared
in the microcontroller in order to validate the output pressure
signal. If a difference between the two measurements is
detected the analog output is driven to a safety condition. The
measured values and the sensor parameters are transferred via
a standard serial digital communication to the secondary unit
where the communication board is fitted.
The output data value is converted into a pulse-width signal
that is filtered and that activates the 4-20 mA transmitter.
The bi-directional, digital communication using the standard
"HART" protocol is implemented as part of this unit. Internal
diagnostics algorithms are implemented to check correctness
and validity of all processing variables and the correct working
of memories. The output stage is also checked by reading back
the analog output signal and by reading the power supply
voltage. The feedback loop is obtained by an additional A/D
converter put at the end of the output stage, which translates
the 4-20 mA signal into a digital form suitable to be compared
by the microcontroller.
8.16 Commissioning and configuration issues
The transmitter is considered in safety condition (normal
operating mode) when the write protect switch placed outside
the transmitter housing below the metallic nameplate is in Write
Protect. In that condition all kind of configurations of the device
are disabled.
8.17 Operating mode enabling and disabling
Operating mode can be enabled/disabled depending on the
switch position. It is also possible to put the device in write
protect condition by a dedicated HART command. In any case
the switch position has the priority on the software command.
2600T Series Pressure transmitters | SOI/266-XC Rev. D 23
8 Safety manual