Endress+Hauser Cerabar S PMC71, Functional Safety Manual

Page: 11 / 48

Cerabar S PMP71 Design
Hauser 11
3.3 Safety function
The device's safety functions are:
• Minimum, maximum or range monitoring
• Absolute pressure measurement
• Gauge pressure measurement
The assessment of the functional safety of a device includes the basic unit with the
main electronics, sensor electronics and sensor up to the sensor diaphragm and the
process connection mounted directly on the device. The process adapter and
mounted/enclosed accessories were not taken into account in the rating.
3.3.1 Safety-related output signal
The device's safety-related signal is the 4 to 20 mA analog output signal as per NAMUR
NE43. All safety measures refer to this signal exclusively. The device additionally
communicates for information only via HART and contains all HART features with
additional device information. HART communication is not part of the safety function. The
behavior of the output current in the event of a fault depends on the settings for the
alarms and warnings. The safety-related output signal is fed to a downstream logic unit,
e.g. a programmable logic controller or a limit signal transmitter, where it is monitored to
determine whether:
• it exceeds and/or drops below a predefined limit value
• a fault has occurred, e.g. failure current (≤3.6 mA, ≥21.0 mA, signal cable open circuit or
short-circuit).
NOTICE
In an alarm condition
‣
Ensure that the equipment under control achieves or maintains a safe state.
The following dangerous undetected failures can occur in the devices:
• An incorrect output signal that deviates from the real measured value by more than 1 %,
but is still in the 4 to 20 mA or 3.8 to 20.5 mA range
• A settling time that is delayed by more than the specified settling time plus tolerance
For fault monitoring, the logic unit must be able to detect both HI alarms (≥21 mA) and LO
alarms (≤3.6 mA).
The transmitter output is not safety-oriented during the following activities:
• Configuration changes
• Multidrop
• with SW version < 02.20 if the "Bus address (345)" parameter is set to ≠ "0".
• with SW version ≥ 02.20 if the "Current mode (052)" parameter is set to "Fixed" (local
display and FieldCare) or "Disabled" (HART handheld terminal).
• Simulation
• Proof testing
Alternative monitoring measures must be taken to ensure process safety during
configuration, proof-testing and maintenance work on the device.
3.3.2 Redundant configuration of multiple sensors
With redundant configuration with HFT = 1 (e.g. 1oo2 or 2oo3 architecture), the device
meets the requirements for SIL 3.
The common cause factors ß and ß
D
indicated in the table below are minimum values for
the device. These values should be used when calculating the failure probability of
redundantly connected devices according to IEC 61508-6. The plant-specific assessment