LUDWIG SCHNEIDER Functional safety

Introduction

Under certain conditions, electronic thermometers can be used in

safety-related systems according to IEC 61508. The version of the

electronic thermometer (such as a resistance thermometer or

thermocouple) and the technical characteristics of the temperature

transmitter used must be taken into consideration, as well as the

evaluation of safety-related systems.

This technical information describes the basics of functional safety

in accordance with IEC 61508 and provides recommendations for

the safety-related design of temperature measurement points.

Need to reduce risk

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760

www.Ludwig-Schneider.com.cn

///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////

Functional safetySafety related temperature measurement in

accordance with IEC 61508

As society has higher and higher expectations for the safety of

technology factories, as time goes by, the risks brought by

technological systems become less and less. Guidelines and

standards have been created to help each plant operator operate

his or her plant with the highest level of safety. Carrying out

accident analysis and risk assessment is its foundation. The

purpose is to reduce the risk caused by dangerous goods.

Incorporate acceptable risks in line with social values into the

technical system through security measures. In order to prevent

dangerous failures in the factory, an

electrical/electronic/programmable electronic system (E/E/PE

system) is adopted. The sum of all necessary safety functions

involved in maintaining the safety state of the plant is used as a

safety instrumented system SIS or safety-related system.

An example of such a safety system is a temperature monitoring

system. When the temperature exceeds the limit, the system

reliably shuts down the power supply of the factory and puts it in a

safe state, thereby preventing dangerous events from occurring.

1/12

有关ASME PTC 19.3 TW-2016的基本信息

Safety-related system architecture

Electrical/electronic/programmable electronic systems are mainly composed of sensors, controllers and actuators.

In this case, it refers to the single-channel architecture of the security system (1oo1 system).

The architecture describes the specific configuration of the hardware and software elements in the system.

The 1oo1 system means that the system consists of a channel that must operate safely so that it can perform safety functions (1 of 1).

For a safety system with a multi-channel architecture, the hardware or software elements need to be redundant (see "Redundant System").

Example of a single-channel architecture for a safety instrumented system

Sensor subsystem

Electronic thermometer

with temperature transmitter

Logic subsystem

programmable logic controller

Actuator subsystem

valve

Responsibilities of the system installer/factory operator

Factory operators can use electronic thermometers with S20-H temperature transmitters (head-mounted type)

and S20-R (rail-mounted type) as the sensor subsystem of the safety instrumented system.

Temperature transmitter, model S20

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



2/12

Legislative basis

IEC 61508 series of standards "Functional safety of electrical/

electronic/programmable electronic safety-related systems"

Known as the basic safety standard. It describes measures to

prevent and control failures in instruments and equipment,

and can be used in various industries.

Especially in the following situations, IEC 61508 should be used

Safety function is realized by E/E/PE system

The failure of the safety instrumented system will cause

harm to personnel and the environment

There is no specific standard for safety system design

IEC 61508 represents the latest technology in the design of safety

instrumented systems. When designing a safety system, it is absolutely

necessary to follow the best available technology, namely IEC 61508.

There are also application-specific standards for planners, contractors,

and operators of safety systems. For example, these are the construction

of IEC 61511 "Functional safety of the process industry sector-Safety

instrumented systems" for the process industry and EN 62061

"Machine safety-Functional safety of safety-related electrical,

electronic and programmable electronic control systems" for machines .

When the electronic thermometer is used with a temperature transmitter

certified for safety-related applications, it can be used in a safety instrumented

system that complies with the IEC 61508 standard. S20 temperature transmitter

is based onIt is developed by IEC 61508 for the process industry and has been

certified by TÜVRheinland.

Electronic thermometers without temperature transmitters (such as resistance

thermometers or thermocouples) are not protected by IEC 61508 because

(for example) the measuring resistor is a simple electronic component that

cannot perform any self-diagnosis or detection errors.

For electronic thermometers without IEC 61508 certified temperature

transmitters, only the failure rate can be specified. This is because the types of

faults that can be detected and safely identified in an electronic thermometer

always depend on the operator's evaluation tool.

Through the certification of S20 temperature transmitter, the combination of

temperature transmitter and electronic thermometer has been considered.

In the safety manual "Functional safety information of S20 temperature transmitter",

the safety-related characteristic values of the temperature transmitter,

the connected temperature sensor and the entire component are specified.

For evaluation, the sensor subsystem is divided into elements "electronic

thermometer (temperature sensor)"And "temperature transmitter".

The temperature sensor is classified as A type component (basic component),

the temperature changes The feeder is classified as B-type component (complex component)

Sensor subsystem composed of temperature transmitter

and temperature sensor

Thermocouple or

resistance thermometer

Temperature transmitter

model S20

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



3/12

Safety related system assessment

Safety integrity defines the probability of performing a safety

function on demand (that is, in the event of a system failure).

In order to obtain the measurement of safety integrity requirements,

it is divided into four safety integrity levels (SIL). If SIL 4 is reached,

the possibility of performing the safety function is the greatest,

so the risk can be minimized.

safety integritylow highlow Safety

SIL1 SIL2 SIL3 SIL4

high

Therefore, the term "SIL" is an important parameter of a safety system,

but it is often used as a synonym for "functional safety".

The safety integrity level always involves the entire safety system.

The element has no SIL, but it may still be suitable for SIL

applications. For example, only S20 temperature transmitter does

not constitute a safety-related system. The operator is responsible

for defining and maintaining the required safety integrity level as

well as the entire safety system and various elements!

Rodriguez, as a manufacturer of electronic thermometers,

provided support for this. On the one hand, by confirming that

the requirements of IEC 61508 have been met, for example, during

the development of S20. On the other hand, it can provide

operators with appropriate safety-related characteristic data for

equipment design and safety function evaluation.

Security system requirements

In order to design temperature measurement points optimized for

safety-related systems, the following aspects must be considered:

The safety status of the plant and the safety function of each

element must be defined by the plant operator.

The required safety integrity level must be determined by the

operator of the safety system through the risk assessment and risk map.

The working conditions of the thermometer (process medium,

environmental influence) should be fully specified so that

the temperature measurement point can be optimized together

with Rodriguez.

The instructions on the thermometer used in the Rodriguez

documentation must be followed.

Make sure that the wetted parts are suitable for the measuring medium.

The basis for obtaining the best safety at the temperature measurement point

is the correct electronic thermometer design to meet process requirements.

The next step is to select a temperature transmitter suitable for the safety system,

which will detect as many fault types as possible,

such as the electronic thermometer and the transmitter itself.

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



4/12

Take temperature transmitter model S20 as an example to determine

the maximum achievable safety integrity level

In order to determine the safety integrity level of safety-related systems, the requirements for system

safety integrity and hardware safety integrity must be determined at the same time.

System safety integrity

In order to meet the requirements of system safety integrity, system

failures must be considered. Systematic failures are design failures,

manufacturing failures or operational failures. To reduce these

hazards, IEC 61508 specifies the safety measures that must be

maintained during the entire service life (product life cycle) of

the technical system. The safety life cycle of a safety system starts

from the concept and ends with decommissioning. As part of

the safety management in the S20 development process,

for example, systemic failures can be prevented through verification

and verification activities, as well as plans and detailed

documentation. Therefore, the software of model S20 even

meets the SIL 3 standard for safety integrity

Hardware safety integrity

Random failure

In order to evaluate hardware safety integrity, attention must be

paid to random failures. These are caused by random changes in

component behavior, for example. G. Open circuit, short circuit or

random change of capacitor value in the circuit. Random failures

cannot be avoided. Only the probability of such failures can be

calculated. The failure rate is given in units of FIT (Failure in Time).

It is defined as：

In a time interval, the sum of all failures calculated with a constant

failure rate is called the basic failure rate λB. The basic failure rate

is composed of dangerous failures that affect the safety function

λD=dangerous and non-dangerous failures λS=safe.

Depending on whether the fault can be detected through the

diagnostic function of the electronic equipment in the safety system,

or the fault still cannot be detected, dangerous and non-hazardous

faults can be further divided.

λDU=Dangerous

undetectable

Failure rate breakdown

λSU=Safe and

undetectable

λDD=Dangerous

detectable

λSD=Safe and detectable

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



5/12

The electronic thermometer may have the following malfunctions：

Open-measurement circuit interrupted

Short circuit-accidentally connected two connecting cables

Drift due to changes in resistance material or drift in thermoelectric voltage

Changes in lead resistance, e.g. through temperature changes

According to the fault detection function of the temperature transmitter used,

the different faults in the electronic thermometer must be defined

Fault type (λSD, λSU, λDD, λDU).

Types of malfunctions of electronic thermometers

Table 1: Fault detection by temperature transmitter model S20

Circumstances in which the electronic thermometer

may malfunction

Open circuit

Short circuit

Drift

Lead resistance change

电阻温度计 2线制连接电阻温度计 3线制连接

电阻温度计 4线制连接热电偶

λDD

λDD

λDU

λDU

λDD

λDD

λDU1）λDD

λDD

λDD

λDU1）λDD

λDD

λDU

λDU

λDD

1) Only when the length of the connecting cable between the measuring resistor and the transmitter is the same and the cross-section of the wire is the same,

can the lead resistance change in the 3-wire connection be detected.

In the literature, the failure rates of thermocouples and resistance thermometers are given in different applications

and configurations. The failure rate is based on the "worst case" of the thermometer failure and provides guidance for

the design of the safety instrumented system.

When using the failure rate, the working conditions and the connecting cable between the measuring point and

the transmitter should be considered. They are distinguished based on the vibration requirements of the operating site

(low stress/high stress) and the type of connection between the measuring point and the temperature transmitter

(closed connection/extension cord) (see "Definitions and Abbreviations").

Table 2: Failure rate of thermocouples without temperature transmitter

Fault typeTightly coupled

Low pressure high pressure

Extension cord


Open circuit

Short circuit

Drift

95 FIT

4 FIT

1 FIT

1,900 FIT

80 FIT

20 FIT

900 FIT

50 FIT

50 FIT

18,000 FIT

1,000 FIT

1,000 FIT

Table 3: Failure rate of 4-wire resistance thermometer without temperature transmitter



Extension cord


Open circuit

Short circuit

Drift

42 FIT

3 FIT

6 FIT

830 FIT

50 FIT

120 FIT

410 FIT

20 FIT

70 FIT

8,200 FIT

400 FIT

1,400 FIT

Table 4: Failure rate of resistance thermometers with 2-wire or 3-wire connection without temperature transmitter



Extension cord


Open circuit

Short circuit

Drift

38 FIT

1 FIT

9 FIT

758 FIT

29 FIT

173 FIT

371 FIT

10 FIT

95 FIT

7,410 FIT

190 FIT

1,900 FIT

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



Resistance thermometer 2-wire connection



Thermocouple

6/12

Element safety integrity level restrictions

The maximum SIL achievable for an element of the safety system is limited by the following factors:

Proportion of safety failures of hardware elements

(safe failure score, SFF)

Hardware Fault Tolerance (HFT)

Hardware fault tolerance represents a measure of the redundancy

of a safety system. When the hardware fault tolerance is N, N + 1 is

the minimum number of errors that may cause the loss of the safety

function. The hardware fault tolerance of the single-channel safety

instrumented system architecture is zero.

Complexity of components (A and B type components)

-The Type A component is the main component, which fully defines

the fault performance and determines the fault. Type A components

are, for example, resistance temperature sensors and thermocouples.

-For complex type B components, the failure performance of at least

one component is undefined or not fully defined.

The type B component is, for example, an electronic circuit including

a microprocessor. S20 temperature transmitter is defined as type

B component

(See Table 5).

In order to calculate the SFF value of the resistance temperature sensor and thermocouple connected to the S20 temperature transmitter,

the failure rate of the temperature sensor should be subdivided into categories (λS, λDD, λDU), and the function of the diagnostic transmitter

should be considered. Therefore, the SFF value can be calculated according to the following formula:

Therefore, temperature sensors defined as type A components in the single-channel architecture (HFT = 0) should be used in safety

instrumented systems below SIL 2, and SFF ≥ 60% should be maintained according to Table 5. As a B-type component S20 temperature

transmitter, SFF ≥ 90% is required.

Table 5: The maximum safety integrity level of components depends on hardware fault tolerance,

component complexity and safety failure rate

SFF Hardware fault tolerance

0

TypeA TypeB

1

TypeA TypeB

2

TypeA TypeA

<60%

60 ... <90%

90 ... <99%

≥99%

SIL 1

SIL 2

SIL 3

SIL 3

Not allowed

SIL 1

SIL 2

SIL 3

SIL 2

SIL 3

SIL 4

SIL 4

SIL 1

SIL 2

SIL 3

SIL 4

SIL 3

SIL 4

SIL 4

SIL 4

SIL 2

SIL 3

SIL 4

SIL 4

These components are allowed to be used in safety instrumented systems with corresponding SIL only when the SFF values of the temperature

transmitter and temperature sensor both reach the specified limit. In addition, the PFD value of the entire safety function must meet

the requirements of Table 6.

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



7/12

SIL limit of the entire safety system

The IEC 61508 standard specifies the value of the safety integrity level of the entire safety system.

According to how often you need to use the security system, distinguish two characteristic values:

PFH（Possibility of dangerous failure per hour）

For operating modes with high or continuous demand rates (high

demand), the average frequency of dangerous failures of safety

functions. These modes are particularly relevant to machine

manufacturing.

PFDavg（Probability of failure on demand）

In a low demand rate (low demand) operating mode, the average

probability of a dangerous failure according to the requirements of

the safety function.

Tproof represents the interval between repeated tests. After this

interval, through appropriate tests (verification tests), the system

will enter an almost "new" state within the specified service life.

Through this test, dangerous and undetectable faults can also be

detected. For electronic thermometers, regular calibration can

ensure that the measured value is still within the required accuracy

range. This also excludes unacceptably high drift.

At the one-year verification test interval (Tproof = 8,760 h), for

The resistance thermometer connected to the S20 temperature

transmitter gives the following PFDavg value:

-Environmental conditions: low pressure

-Connection between measuring point and transmitter :

tight coupling

-Failure rate λDU = 16 FIT

Table 6: Limits of PFDavg and PFH on SIL of safety system

Safety Integrity Level (SIL)The average probability of a dangerous failure

of the required safety function (PFDavg)Average frequency of dangerous

failures per hour (PFH)

4

3

2

1

-5 -4 ≥ 10 to < 10-4 -3≥ 10 to < 10-3 -2≥ 10 to < 10-2 -1≥ 10 to < 10

-9 -1≥ 10 to < 10-8 h-8 -1≥ 10 to < 10-7 h-7 -1≥ 10 to < 10-6 h-6 -1≥ 10 to < 10-5 h

Therefore, in terms of the requirements of the PFDavg value,

this combination is suitable for safety systems with a safety level

of SIL 2, but due to the single-channel structure (see "Limited

Component Safety Integrity Level") and SFF, it is limited to SIL 2.

The formula described above is derived from IEC 61508. It is assumed

that the 8-hour time required for system update is negligible

compared to the verification test interval of 8760 h.

The PFDavg value almost linearly conforms to the proof test interval

Tproof. The shorter the verification test interval, the better the

PFDavg value that can be obtained. Similarly, if the PFDavg value

of the entire system is lower than the allowable limit value,

the verification test interval can be increased. If the proof test

interval is shortened to 0.5 years, the PFDavg value will be halved,

and if it is expanded to 2 years, it will be doubled.

The smaller the PFDavg or PFH value, the greater the SIL that the

entire system can achieve. In Table 6,

The PFDavgor PFH characteristic value is assigned a safety

integrity level.

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



8/12

For the operator of the system, it is always the PFDavg value of

the entire safety system, not the value of the relevant individual element.

For evaluation purposes, the following distribution of PFDavg values

of the safety system has been established as a criterion:

Actuator 50%

The distribution of sensors, controllers and actuators in

the total PFD value of SIS

sensor

(Electronic

thermometer)

35%

Control

system 15%

Equipment operators can specify different

distributions of components.

If the safety of the sensor is less than 35% of the maximum

PFDavg value allowed by the security system, such as the electronic

thermometer of the S20 temperature transmitter, the operator can

use the controller and actuator with a relatively poor PFDavg value.

Structural limitations

The structural characteristics of the safety instrumented system may

limit the maximum achievable SIL. In a single-channel architecture,

the maximum SIL is determined by the weakest link. In the safety system

shown, the "sensor" and "logic" subsystems are suitable for SIL 2, while

the "actuator" subsystem is only suitable for SIL 1. Therefore, the entire

safety system can only reach SIL 1 at most.

Sensor subsystem

SIL 2

Components of safety-related systems

Logic subsystem

SIL 2

Actuator subsystem

SIL 1

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



9/12

Redundant system

If two electronic thermometers with S20 temperature transmitters are installed

in parallel, common causes of failure must be considered. For example, when

environmental conditions or EMC interference affect multiple channels at the

same time, common cause failures may occur. These failures will affect all

channels of the redundant system at the same time.

Reliability block diagram: electronic thermometer in redundant configuration

Channel 1

Channel 1

sensor

Electronic thermometer 1

(With temperature transmitter)

Electronic thermometer 2(With temperature transmitter)

Common reasons

for failure

在这种情况下，上图中的电子温度计代表一个两通道体系结构（1oo2）系

统。这种结构称为MooN系统。MooN系统（N个中的M个）由N个独立的

通道组成，其中M个通道必须安全运行，以便整个系统可以执行安全功能。

如果使用的两个带有温度变送器的电子温度计在结构，测量原理和软件方

面尽可能不同，则不太可能发生常见原因故障。因此，例如，电阻温度计

可以用于一个通道，而热电偶可以用于另一通道。为了进行测量，可以将

一个热电偶套管用于电阻温度计，将另一个热电偶套管用于热电偶，也可

以将单个热电偶套管用于两者。当使用单个热电偶套管时，相应原因引起

故障的可能性更大。当所使用的温度变送器来自不同的制造商，并且其结

构和软件不同时，还可以实现更高的多样性。

尤其是，S20型温度变送器的优点是可以用于SIL 3以下的同类冗余系统中。

这意味着，带有S20型温度变送器的电子温度计与第二个温度计并联连接。

在结构上相同的发射器上在单通道体系结构中，变送器适用于SIL 2级。由

于S20型温度变送器已完全开发并通过了IEC 61508标准的所有要素的认证

（全面评估开发），因此变送器也是适用于SIL 3应用的均匀冗余组件。即

使在开发过程中，软件中的避免故障措施也已设计用于SIL 3应用程序。因

此，S20型温度变送器不同于在早期使用的基础上仅适用于SIL应用的经操

作验证的仪器。

两通道架构中经实践证明的现场仪器最大程度地达到了单个仪器的SIL。与

S20型温度变送器不同，这些仪器的系统性故障首先无法得到防止或减少，

例如在仪器开发过程中。

In order to solve the impact of common cause failures, a "β factor"

is needed to calculate the PFD value of the redundant system.

The beta factor refers to the proportion of undetected common

cause failures. According to IEC 61508-6 and considering that the

8 h period required for system refurbishment is negligible

compared with the verification test interval of 8760 h, the PFD

value of the 1oo2 structure is calculated using the following

simplified formula:

In order to determine the β factor, measures to reduce the

occurrence of common cause failures must first be defined.

Through engineering evaluation, it is necessary to work with

Rodriguez to determine to what extent each measure reduces

the occurrence of common cause failures.

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



In this case, the electronic thermometer in the figure above

represents a two-channel architecture (1oo2) system. This

structure is called MooN system. The MooN system (M out of N)

consists of N independent channels, of which M channels must be

operated safely so that the entire system can perform safety

functions.

In particular, the advantage of the S20 temperature transmitter is

that it can be used in similar redundant systems below SIL 3. This

means that the electronic thermometer with S20 temperature

transmitter is connected in parallel with the second thermometer.

In a single-channel architecture on a transmitter with the same

structure, the transmitter is suitable for SIL level 2. Since the S20

temperature transmitter has been fully developed and passed the

certification of all elements of the IEC 61508 standard (full

evaluation and development), the transmitter is also a uniform

redundant component suitable for SIL 3 applications. Even during

the development process, failure avoidance measures in the

software have been designed for SIL 3 applications. Therefore, the

S20 temperature transmitter is different from an instrument that is

only suitable for SIL applications and has been proven in operation

based on its early use.

Field instruments proven in practice in a two-channel architecture

achieve the SIL of a single instrument to the greatest extent. Unlike

S20 temperature transmitters, systemic failures of these

instruments cannot be prevented or reduced in the first place, for

example, during instrument development.

If two electronic thermometers with temperature transmitters are

used as different as possible in terms of structure, measurement

principle and software, it is unlikely that common cause failures

will occur. So, for example, a resistance thermometer can be used

for one channel, and a thermocouple can be used for the other

channel. To perform the measurement, one thermowell can be

used for resistance thermometers, another thermowell can be used

for thermocouples, or a single thermowell can be used for both.

When a single thermowell is used, the corresponding cause is more

likely to cause failure. When the temperature transmitters used are

from different manufacturers, and their structure and software are

different, a higher diversity can be achieved.

10/12

Summary of recommendations

In order to protect the measuring tool from the process medium

and to achieve quick and easy calibration of the electronic

thermometer, a protective thermometer accessory with

replaceable measuring tool should be used. According to the

requirements of the process, it is important to pay special

attention to the correct design of the thermowell

In order to optimally design temperature measurement points

for safety-related applications, the requirements in the chapter

"Safety System Requirements" must be followed.

In addition, in safety applications, it is recommended to use the

S20 temperature transmitter (head-mounted or rail-mounted)

with a 4-wire connection resistance thermometer or

thermocouple. Through S20's extensive diagnostic functions and

the advantages of 4-wire connection, a high degree of safety in

temperature measurement can be ensured.

Abbreviations and definitions

Abbreviation Definition

Tightly coupled

Direct current

Extension cord

Suitable for

High frequency

High pressure

Low pressure

PFDavg

PFH

Thermal resistance

Staple fiber

SIS

TC

TR

The temperature transmitter is located

in the connector (head-mounted) of

the electronic thermometer.

Coverage

The temperature transmitter is located

outside the connector of the electronic

clinical thermometer, and is located,

for example, in a cabinet away from

the measuring point (remote installation).

Downtime

Hardware fault tolerance

Vibration application

(≥67% of the maximum vibration

resistance of the electronic thermometer)

Low vibration

(<67% of the maximum vibration

resistance of the electronic thermometer)

Average probability of dangerous failure

according to safety function requirements

Average frequency of dangerous failures

of safety functions

"Resistance temperature detector";


Safety failure scores of hardware elements

Safety Instrumented System

Thermocouple

"Temperature resistance";


LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



11/12

Re-evaluate the influence of temperature transmitter model S20 (from firmware version 2.2.3)

on safety-related characteristic values

Within the scope of the reassessment, no safety-related changes

were made to the temperature transmitter. The diagnostic range of

the transmitter remains unchanged. Only new evaluation methods

lead to changes in safety-related characteristic values.

New version of IEC 61508 standard

Since the preliminary evaluation of the basic standard S20

temperature transmitter for functional safety, IEC 61508

"Functional safety of electrical/electronic/programmable

electronic safety-related systems" has been updated to a revised

version of IEC 61508:2010. Starting from firmware version 2.2.3, S20

will be evaluated against the standards of this version

Update failure rate

In this case, FMEDA (failure mode, impact and diagnostic analysis)

is also repeated at the current component failure rate. According

to SN29500, calculation is based on component failure rate.

For temperature resistance sensors and thermocouples connected

to temperature transmitters, the failure rate.

Determined by exida.com LLC.

Element analysis of the "sensor" subsystem After the introduction

of the term "element" in section 3.4.5 of IEC 61508-4:2010,

the interconnection of temperature transmitter and electronic

thermometer as the "sensor" subsystem is considered

and evaluated as follows :

Element1

Electronic thermometer

without transmitter

(Thermocouple or

resistance thermometer)

For HFT = 0 and SIL 2,

Type A/SFF≥60%

Element2

S20 temperature transmitter

(Without thermocouple

or resistance thermometer)

For HFT = 0 and SIL 2,

Type B/SFF≥90%

This separate consideration will affect the evaluation of the SFF value.

For example, the SIL 2 SFF required by a thermocouple or resistance

thermometer is reduced to 60%.

Application-specific failure rate

Through the re-evaluation of S20, the failure rate can be determined

according to the specific failure rate of the application, which depends

on the vibration level of the electronic thermometer installed, and

depends on the connection of the thermometer to the transmitter.

In addition, the failure rate of "standalone" temperature transmitters

is calculated for different configurations.

Higher failure rate

The failure rate of S20 transmitters connected to thermocouples

or resistance sensors has shown an improvement trend. Especially

for the "low stress, tightly coupled" situation, the failure rate of

dangerous, undetectable failures is reduced.

Effect on PFDavg value

Especially for "low stress, tightly coupled" application conditions,

the PFDavg value has been improved. If required, this allows users

to use logic or operating subsystems with correspondingly larger

PFDavg values in the safety instrumented system, or to extend

the verification test interval.

Rodriguez representative office in China

Rodriguez Automation Instrumentation (Guangzhou) Co., Ltd.

Luode Weige International Trade (Shanghai) Co., Ltd.

Phone: 400-860-9760

Email: [email protected]

Website: www.Ludwig-Schneider.com.cn

LUDWIG

SCHNEIDER

LUDWIG

SCHNEIDER

LUDWIG DATA

TEL:400-860-9760


///////

20

20

YE

AR

00

50

7-0

52

7-1

01

3 C

h V

ers

ion

///////



12/12

LUDWIG SCHNEIDER Functional safety

Documents

Transcript of LUDWIG SCHNEIDER Functional safety