13
Functional Safety Manual
M310/FSM, Rev BA
Operation and Maintenance
April 2017
Operation and Maintenance
Section 5
Operation and Maintenance
5.1
Proof-test requirement
During operation, a low-demand mode SIF must be proof-tested. The objective of proof-testing is to
detect failures within the equipment in the SIF that are not detected by any automatic diagnostics of the
system. Undetected failures that prevent the SIF from performing its function are the main concern.
Periodic proof-tests shall take place at the frequency (or interval) defined by the SIL verification
calculation. The proof-tests must be performed more frequently than or as frequently as specified in the
SIL verification calculation in order to maintain the required safety integrity of the overall SIF.
A sample procedure is provided in
Appendix A: Proposed Proof-test Procedure
Results from periodic proof tests shall be recorded and periodically reviewed.
5.2
Repair and replacement
Repair procedures in the product manual
must be followed.
5.3
Notification of failures
In case of malfunction of the system or SIF, the Mobrey Magnetic Level Switch (“level switch”) shall be put
out of operation and the process shall be kept in a safe state by other measures.
Emerson must be informed when the level switch is required to be replaced due to failure. The occurred
failure shall be documented and reported to Emerson using the contact details on the back page of this
functional safety manual. This is an important part of Emerson’s SIS management process.
5.4
Useful lifetime
According to the Section 7.4.9.5 of IEC 61508-2, a useful lifetime based on experience should be
assumed.
Although a constant failure rate is assumed by the probabilistic estimation method (see FMEDA report),
this only applies provided that the useful lifetime
(1)
of components is not exceeded. Beyond their useful
lifetime, the result of the probabilistic calculation method is therefore meaningless as the probability of
failure significantly increases with time. The useful lifetime is highly dependent on the subsystem itself
and its operating conditions.
This assumption of a constant failure rate is based on the bath-tub curve. Therefore, it is obvious that the
PFD
AVG
calculation is only valid for components that have this constant domain and that the validity of
the calculation is limited to the useful lifetime of each component.
Based on general field failure data and manufacturer component data, a useful life period of
approximately 10 to 15 years is expected for the Mobrey level switch. When plant experience indicates a
shorter useful lifetime than indicated here, the number based on plant experience should be used.
1.
Useful lifetime is a reliability engineering term that describes the operational time interval where the failure rate of a device is relatively constant. It is not a term which covers
product obsolescence, warranty, or other commercial issues.
Summary of Contents for Mobrey Series
Page 2: ......
Page 8: ...4 Functional Safety Manual M310 FSM Rev BA Introduction April 2017 Introduction ...
Page 25: ......