Safety Manual Series 854 ATG/XTG level gauges

Safety Manual

Series 854 ATG/XTG level gauges

Table of Contents

Part No.: 4417808_Rev01 854 ATG/XTG level gauge

Safety Manual i

CHAPTER 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1 About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1.2 Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.1.3 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.2 Basic Skills and Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.3 Safety Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.3.1 Safety Instrumented Systems, Functions and Integrity Levels . . . . . . . . . . . 1-2

1.3.2 What standard to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

CHAPTER 2 Functions, Architecture and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.3 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.4 Safety-related Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

2.5 Safety Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.5.1 Safety design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.5.2 Technical Data Servo 845 ATG/XTG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

2.6 Servo Auto Test 854 ATG/XTG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

2.6.1 Principle of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

2.7 Fault Detection and Reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

CHAPTER 3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.2 Assumptions and Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.3 New Installation or Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.3.1 New Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.3.2 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.4.1 Hardware Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.4.2 Software Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.4.3 Configuration – Servo Auto Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

3.4.4 Configuration – Alarm Relay setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

3.4.5 Configuration – Analog level output. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

3.5 Verification of the Safety Instrumented Function(s) . . . . . . . . . . . . . . . . 3-7

CHAPTER 4 Maintenance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.2 Diagnostic items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.3 Proof Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Table of Contents

854 ATG/XTG level gauge

Safety Manual

Part No.: 4417808_Rev01

ii

Introduction


Safety Manual 1 - 1

CHAPTER 1 INTRODUCTION

1.1 About this Manual

1.1.1 Purpose

The Safety Manual provides information about the 854 ATG/XTG level

gauge that is relevant for integration of this servo-based level gauge

into a Safety Instrumented System (SIS). This manual is aimed at

technical personnel responsible for such integration.

1.1.2 Content

Chapter Title Contents Description

Introduction This chapter.

Functions, Architecture and

Compliance

Specification of the Safety Instrumented Functions (SIF) that are applied and the

architecture(s) these SIFs need to operate. Furthermore relevant certification and

compliance information is given.

Implementation Description of - or reference to - details how to achieve and implement the applicable

SIFs.

Maintenance Requirements Description of - or reference to - details how to maintain the required Safety Integrity

Levels of the implemented SIFs.

1.1.3 Related Documents

• IEC 61508 (2010),

• IEC 61511 (2004),

• Instruction Manual Series 854 ATG level gauge; Part No.: 4416220,

• Installation guide 854 ATG level gauge; Part No.: 4416225,

• Instruction Manual Series 854 XTG level gauge; Part No.: 4416275,

• Installation guide 854 XTG level gauge; Part No.: 4416276,

• Instruction Manual SPU II Hard Alarm Contacts; Part No.: 4416223,

• Instruction Manual spot temperature and analog output; Part No.:

4416644.

1.2 Basic Skills and Knowledge

Before you start to work on the 854 ATG/XTG level gauge it is assumed

that you are certified to do work on safety related systems and devices

(i.e. certified Enraf Service Specialist), and that you have appropriate

knowledge of:

• The concepts and functioning of the 854 ATG/XTG level gauge,

• The applicable process and equipment under control within the SIS,

• This Safety Manual,

• Site procedures,

• Applicable safety standards (e.g. IEC 61508 and IEC 61511).

Introduction


Safety Manual

Part No.: 4417808_Rev01

1 - 2

1.3 Safety Standards

1.3.1 Safety Instrumented Systems, Functions and Integrity Levels

Processes and Equipment Under Control (PUC/EUC) in the process

industry require a high level of safety. Safety Instrumented Systems

(SIS) are used to perform Safety Instrumented Functions (SIF).

Instrumentation that is used for SIFs, must meet minimum standards

and performance levels. Standards like IEC 61508 and IEC 61511 have

been developed for this purpose. One of the performance criteria that

these standards apply is the Safety Integrity Level (SIL).

IEC 61508 details the design requirements for achieving the required

SIL. The safety integrity requirements for each individual safety function

may differ. The safety function and SIL requirements are derived from

hazard analyses and risk assessments. The higher the level of adapted

safety integrity, the lower the likelihood of dangerous failure of the SIS.

These standards also address the safety-related sensors and final

elements regardless of the technology used.

The 854 ATG/XTG level gauge can be used for a specific SIF that

demands SIL 1 or SIL 2 (HFT = 0). If used in a redundant

arrangement, the 854 ATG/XTG level gauge can be applied in safety

loops that require SIL 3 (HFT = 1).

1.3.2 What standard to use

IEC 61508 has been developed as a generic standard. A framework of

standards, incl. IEC 61511, for specific industry sectors were based on

this one. The information in the table below is meant as a guideline.

Standard Typical application within the process industry

IEC 61508

Functional safety of electrical /

electronic / programmable

electronic (E/E/PE) safety-

related systems

If you are a manufacturer, it is strongly recommended that you apply the IEC 61508.

This generic standard is intended to provide guidance on how to develop E/E/PE

safety-related devices as used in Safety Instrumented Systems (SIS).

The IEC 61508 serves as a basis for the development of sector standards (e.g. for

the machinery sector, the process sector, the nuclear sector, etc.).

It can serve as stand-alone standard for those sectors where a sector specific

standard does not exist.

IEC 61511

Functional safety - Safety

instrumented systems for the

process industry sector

If you are an owner/user, it is strongly recommended that you apply the IEC 61511.

This standard addresses the application of SISs for the process industries. It requires

a process hazard and risk assessment to be carried out, to enable the specification

for SISs to be derived.

In this standard a SIS includes all components and subsystems necessary to carry

out the safety instrumented function from sensor(s) to final element(s).

The standard is intended to lead to a high level of consistency in underlying

principles, terminology and information within the process industries.

This should have both safety and economic benefits.

Functions, Architecture and Compliance


Safety Manual 2 - 1

CHAPTER 2 FUNCTIONS, ARCHITECTURE AND COMPLIANCE

2.1 Functions

Beside its standard functions the 854 ATG/XTG level gauge can also be

used for a Safety Instrumented Function (SIF) for storage tanks in the

oil and gas industry. This function is:

• the SIL compliant “overfill protection” and/or “underfill protection”.

To establish that the safety parameters for this function of the 854 ATG/

XTG level gauge are in the range of SIL 2, it is necessary to:

• use the correct architecture; see chapter 2.2 "Architecture",

• apply the function correctly; for further details see,

• chapter 3 "Implementation",

• chapter 4 "Maintenance Requirements".

2.2 Architecture

“Overfill protection” and/or “underfill protection” in the range of SIL 2

for the 854 ATG/XTG level gauge can be established with the

standard architecture. However, specific hardware and software

requirements do apply; for further details see chapter 3.4

"Configuration".

2.3 Compliance

Organization Relevant details

The 854 ATG/XTG level gauge is considered to be a Type B system in the meaning of

IEC 61508. If implemented and maintained correctly, the safety parameters for the

“overfill protection” and/or “underfill protection” are in the range of SIL 2.

Details of the assessment and certification by TÜV Rheinland are recorded in:

Report No. V 56.05/14

Certificate No. V 56.05/14



Safety Manual

Part No.: 4417808_Rev01

2 - 2

2.4 Safety-related Data

The table below specifies the applicable data relating to IEC 61508:

Entity / parameter Value Remarks

Safety Integrity Level SIL 2 As single channel safety related subsystem. With a

structure establishing a hardware fault tolerance of 1

the device is usable in SIL 3 applications.

Classification of the device Type B

Mode of operation Low demand mode High demand mode Continuous operation

Acc. to IEC 61508-4, 3.5.16 and

Acc. to IEC 61511-1, 3.2.43,2

Probability of Dangerous Failure on Demand

PFDavg = 5.48E-05

For the calculation of PFDavg an assumed test interval of

Ti = 1 year has been assumed *1

Hardware fault tolerance HFT 0

Diagnostic coverage DC 90 %

Safe Failure Fraction (SFF) SFF = 92.7 % *2

Probability of Failure per Hour PFH = 1.25E-08 1/h

MTBF dangerous failures MTBFD 8.00E07 h 9132 y

Dangerous failure rate λD = 1.13E-07 1/h 113 FIT

Safe failure rate λS = 4.62E-08 1/h 46 FIT

Total Failure Rate λD + λS = 1.71E-07 1/h

59 FIT

MTBF total 5.84E+06

667 y

Proof Test Interval To be defined Refer to Figure 2-1.

*

1) If other proof test interval shall be used, the diagram (Figure 2-1) shows how the PDFavg is related to Ti.

*2) The SFF takes into account the failure detection provided by all mechanical, electronics and software

components of the device.

TABLE 2-1 Safety-related data

FIGURE 2-1 PDFavg over Ti



Safety Manual 2 - 3

2.5 Design and technical input

2.5.1 Safety design

FIGURE 2-2 shows a schematic diagram of the SIL compliant design.

The SIL compliant design comprises of the optional 2 hardware alarm

relay output contacts, located on the SPU II board (Servo Processing

Unit), and/or the 4-20 mA analog level output, which circuit is located on

the HCU option board.

FIGURE 2-2 Safety design

The servo board controls the position of the displacer and thereby

‘measures’ the product level. Via the IPC (Inter Processor

Communication) bus, the level information is transferred to the XPU 2

board and the Option board. Continuous checks on the validity of the

level value by checking on the correct position of the drum & stepper

motor, guarantees a high diagnostic coverage (DC = 90%).

The 2 x SPDT relay contacts can activate at high level threshold setting

(overfill protection), or low level threshold setting (underfill protection).

Refer to section 3.4.2 Software configuration).

The 4-20 mA analog level output is a passive output, which means it

requires an external DC supply voltage between 12 and 64 V. As the

4-20 mA signal reflects the level value, the threshold setting on overfill

or underfill value must be made in the logic solver.



Safety Manual

Part No.: 4417808_Rev01

2 - 4

2.5.2 Technical Data Servo 854 ATG/XTG

Parameter Range

Allowable differential Pressure Max. 40 bar (4 MPa, 580 psi) (model dependent)

Temperature: Process

Ambient

-200 °C to + 200 °C (-328 °F to +392 °F)

-40 °C to + 65 °C (-40 °F to +149 °F)

TABLE 2-2 Technical Data Servo 854 ATG/XTG

To establish SIL compliant “overfill protection” and/or “underfill protection” a sophisticated diagnostic test has been developed to

prove that the gauge is able to measure an upward and/or downward

movement of the product, reliably and covering the diagnostics.

This test is called the Servo Auto Test 1, and can be executed

automatically at a user defined interval. It can also be prompted by a

dedicated command for Proof Test purposes. Provided the required

configuration is established, the user can set this test to application

needs.

1. The “Servo Auto Test” feature is covered by U.S.

Patent No. 8,997,549 and other patents pending.

2.6 Servo Auto Test 854 ATG/XTG

The Servo Auto Test makes use of the existing “Principle of

measurement” as described in the Instruction Manual, and has the

following features:

• it is executed automatically and autonomously,

• it is executed immediately after tank loading, as this is a critical

moment,

• it is executed at regular intervals to prove that the moving parts of the

gauge can move as intended,

• in case of a detected failure,

• the appropriate alarm is initiated,

• the applicable hardware relays are activated/de-activated

(depending on the mode),

• during execution the display shows only the asterisk sign (*) in the level status, all other effects of the test are hidden,

• i.e. level and relays,

• for installed equipment (e.g. CIU’s) and systems,

• the installed base can be upgraded (for applicable prerequisites see

chapter 3.3 "New Installation or Upgrade").



Safety Manual 2 - 5

2.6.1 Principle of Operation

Starting from the situation that the displacer (D) is in rest at the product

level (PL), the Servo Auto Test consists of these basic steps:

1. The displacer is raised over

a configurable distance

(cd).

2. The wire tension (wt) is

measured while the

displacer is being raised.

3. Appropriate actions are

initiated, only in case the

wire tension exceeds the

predetermined limit (X)

caused by a mechanical

obstruction.

4. The displacer is lowered to

the product level.

NOTE: The duration of a Servo Auto Test mainly depends on

the configuration settings.

A typical Servo Auto Test running at default settings

may take approximately 15 seconds.

FIGURE 2-3 shows a graph that represents the actual and measured

product levels. The latter in fact is the level of the displacer. The displacer level correctly follows the actual product level, while at set intervals a Servo Auto Test occurs. This indicates that the level gauge is in a healthy state and the moving parts of the gauge can move as intended.

The Servo Auto Test occurrences take place at a set interval when the

product level is stable, or assumed to be stable. This is the case at

product levels PL1 and PL2. During tank filling the Servo Auto Test is

temporarily disabled. After end of filling is detected a certain time lapse (tl) passes 1 before the Servo Auto Test is started again. Afterwards Servo Auto Test occurrences take place at the set interval again.

1. For details about parameters and settings

refer to chapter 3.4.2 "Software Configuration"



Safety Manual

Part No.: 4417808_Rev01

2 - 6

The product level (PL) is shown as a function of time

where PL1 is the initial stable level and PL2 is the stable

level after the tank was filled.

FIGURE 2-3 Servo Auto Test occurrences

2.7 Fault Detection and Reaction

During a Servo Auto Test fault detection is conducted as follows:

1. in case the wire tension exceeds its predetermined limit while the

displacer is raised, the displacer cycle is interrupted;

the displacer will be lowered to the product level;

2. a second displacer cycle is started;

in case this cycle is also interrupted the displacer will be lowered to

the product level again;

3. a third displacer cycle is started; in case this cycle is also interrupted the displacer will remain at the

blocked level;

4. a failure state has now occurred.



Safety Manual 2 - 7

Upon a fault detection the 854 ATG/XTG level gauge will initiate fault

reaction as follows:

• relevant product levels are set to “fail” in their corresponding protocol

records (B, D, ZLQ); other product levels keep their last recorded values (innage, ullage

and corrected product levels),

• all product level statuses are set to “fail”,

data item [ES] (Error SPU request) is set to code 0607 (Servo Auto Test

fail),

relays (if present) are set in accordance with their “gauge fail” status

configuration,

• the displacer is kept at the blocked level,

• new gauge servo commands are not executed, unless the gauge is

in maintenance mode.

NOTE: Be aware that the cause of a failure must be

removed before you reset the gauge. Otherwise the

gauge will come into a fail state again.

The fail state of the 854 ATG/XTG level gauge due to a Servo Auto Test

failure ends when one or more of these actions occur:

• the user initiates a reset directly via the reset command (item [RS]),

• the user initiates a reset indirectly via the exit command (item [EX]),

• a power down / power up sequence.

Two typical fault situations exist in which faults are detected as

described above. Figures 2-4 and 2-5 both show a graph that also

represents the actual product level and the displacer level. Each figure

shows a typical situation. They represent identical failure states - under

different conditions - as a result of a mechanical obstruction.



Safety Manual

Part No.: 4417808_Rev01

2 - 8

FIGURE 2-4 shows fault situation 1 (FS1). The product level is raising

due to tank filling. Before it actually stops, end of filling is detected as a

result of an obstruction. After a certain time lapse (for details see 3.4.2)

a Servo Auto Test is initiated and the wire tension exceeds the limit in

three subsequent attempts. One of the results of the fault reaction is

that filling is stopped. In this situation PL2 represents the intended

product level after filling.

FIGURE 2-4 Failure State example - during tank filling

FIGURE 2-5 shows fault situation 2 (FS2). The product level is stable, in

this case at PL2. The Servo Auto Test is initiated at set intervals. During

a Servo Auto Test the wire tension exceeds the limit in three

subsequent attempts.

FIGURE 2-5 Failure State example - product level is stable


Safety Manual 3 - 1

Implementation

CHAPTER 3 IMPLEMENTATION

3.1 General

This chapter provides the information that is relevant for correct

implementation of the safety-related function(s) of the 854 ATG/XTG

level gauge.

3.2 Assumptions and Constraints

The user must install, implement and use the 854 ATG/XTG level gauge

according to the conditions that are specified in this manual. The SIL

compliant “overfill protection” and/or “underfill protection” will operate as

intended when:

• the standard architecture is present,

• the correct configuration is installed and commissioned.

Any servo-based level gauge of the type 854 ATG/XTG level gauge that

does not comply with these features cannot be used for this purpose.

3.3 New Installation or Upgrade

3.3.1 New Installation

In case you have purchased an 854 ATG/XTG level gauge that is

suitable for SIL compliant “overfill protection” and/or “underfill

protection”, this function is included by design. This means that the

required architecture, hardware and software are present in the device.

Correct implementation of the function is obtained by setting the

required configuration during commissioning.

3.3.2 Upgrade

In case you own an 854 ATG/XTG level gauge, the SIL compliant

“overfill protection” and/or “underfill protection” can be included by

upgrading the device. By ordering the option for SIL compliant “overfill

protection” you will receive the required features. Implementation of the

upgrade needs to be done by a qualified Service Engineer.

Implementation of the upgrade implies:

• for models that have an XPU-2 board installed, a firmware update

(EPROM) is required,

• for models that have an XPU-1 board installed, this must be replaced

by an XPU-2 board including firmware (EPROM),

• for models that have an SPU-2 board without Alarm relays installed, this must be replaced by an SPU-2 board with Alarm relays if SIL is required by relay contact.


Safety Manual

Part No.: 4417808_Rev01

3 - 2

Implementation

• for models that have no HCU board or HCU board without analog level output installled, this must be replaced by an HCU board with analog level output if SIL is required by analog level output.

• “commissioning” is done according to the instructions in the

854 ATG/XTG level gauge Instruction Manual.

3.4 Configuration

Hardware and software features contribute to the SIL compliant “overfill

protection” and/or “underfill protection”. TABLE 3-1 specifies the

relevant boards the 854 ATG/XTG level gauge must consist of and the

relevant firmware. Further details are described in the next paragraphs.

3.4.1 Hardware Configuration

This paragraph describes aspects of the design and integration of the

applicable hardware. The required hardware configuration of the 854

ATG/XTG level gauge is achieved by correct use of the specified

hardware elements (see TABLE 3-1). No further requirements apply to

the hardware configuration.

Board type Revision Firmware Version

XPU-2 current EPROM ≥ H2.8

SPU-1 current No density option ≥ A2.3

With density option ≥ C2.3

SPU-2 1 current No density option ≥ B2.3

With density option ≥ D2.3

HCU 2 current With Analog output ≥ A2.2

1. SPU-2 board is used, when SIL function is achieved through alarm relays. 2. HCU board is used, when SIL function is achieved through the analog level output. HCU board can be used in combination with SPU-1 or

SPU-2 board.

TABLE 3-1 Required boards and firmware

3.4.2 Software Configuration

The following paragraphs describe the steps to achieve the correct

software configuration of the 854 ATG/XTG level gauge. They are:

• execution of the software settings (commissioning), • configuration Servo Auto Test (refer to 3.4.3)

• configuration Relay contacts (refer to 3.4.4) • configuration Analog level output (refer to 3.4.5)

• verification of the function (refer to 3.5).


Safety Manual 3 - 3

Implementation

3.4.3 Configuration – Servo Auto Test

To guarantee correct functioning of the “overfill protection” and/or “underfill protection” the Servo Auto Test configuration parameters must be set correctly.

TABLE 3-2 provides an overview of the applicable items and their

settings for configuration (N/A means: not applicable).

Item Description Default 1 Min - Max values 1 Eng. unit 2 Prot. level 3

[SE] Servo Auto Test enabled <E> N/A N/A 1

[SH] Servo Auto Test raise height +000.0200 +000.0100 - +000.2500 see [LD] 2

[SI] Servo Auto Test interval time 00060 00001 - 40320 minutes 1

[SY] Servo Auto Test invalidates

display and level

<N> N/A N/A 1

[XI] Servo Auto Test level movement

detector sample interval

60 10 - 200 seconds 1

[XT] Servo Auto Test level movement

detector trip distance

+000.0030 +000.0010 - +000.3000 see [LD] 1

1. Values for heights and distances are given in meters.

2. LD is the standard item to set the Level Dimension:

(M = metres; F = feet; I = inches; P = fractions).

3. Protection levels are provided for all items, depending

on the importance of an item.

TABLE 3-2 Software settings (servo auto test)

Relevant configuration details per item are described below.

Item [SE].

In case compliant “overfill protection” is required the default value <E>

must be kept. In case this function is not required set the value to <D>.

Items [SH] and [SI]. The default settings provide for most common applications. The user

can adapt the values in accordance with application or process needs.

Item [SY].

With this item the visibility of Servo Auto Test details on a display and

host system is controlled. Preferably the default value <N> of this item is

kept. If the value is set to <Y> the host system can show that the gauge

is in test.


Safety Manual

Part No.: 4417808_Rev01

3 - 4

Implementation

Items [XI] and [XT].

These items are related to the movement detector that samples the

level in the tank at regular intervals. They are also closely related to

each other. They are used to determine if the product level in a tank is

stable or moving.

With item [XI] the user determines the time between two consecutive

samples by the movement detector. Item [XT] represents the trip

distance. If the absolute difference between two samples exceeds the

trip distance it is assumed that the tank is being loaded or unloaded.

This movement detection is necessary to disable the Servo Auto Test

during loading and unloading of the tank. It is also used to determine

that the product movement stops and a Servo Auto Test can be initiated

again. Detection takes place after a certain time lapse. In theory the minimum

time lapse is zero (0) seconds and the maximum time lapse is 2 x [XI].

Although the default values for items [XI] and [XT] are based on field data

and experience, they cannot be automatically used. As circumstances

of different tank systems can strongly vary, appropriate values have to

be determined for any specific system.

It is advised to follow the steps below in the given order to determine the

values for these items to avoid over or underrated responses.

1. Determine the maximum deviation of the measured product level in

the tank when the product level is stable (PLSTAB-Δ), i.e. no loading or

unloading. Level deviations can occur due to weather conditions,

e.g. wind on a floating roof tank system.

2. Set the value of item [XT] in the engineering units of the gauge so that

it equals: PLSTAB-Δ + 1 mm.

3. Determine the average product level increase per second during

loading of the tank in the engineering units of the gauge. This is

variable A.

4. Calculate item [XI] as follows: [XI] = [XT] / (1/2 A).

The greater the value for item [XI] the longer it will take before the Servo

Auto Test is executed after tank loading is finished. Preferably, this

period must be as short as possible to prevent tank overfill due to a

mechanical obstruction.

This effect occurs because tank loading and unloading does not start

and stop suddenly. If these would occur abruptly parts of the tank

system can get damaged (e.g. pipes). Therefore opening and closing of

valves and starting and stopping of pumps is done gradually.


Safety Manual 3 - 5

Implementation

3.4.4 Configuration – Alarm relay setting

TABLE 3-3 provides an overview of the applicable items and their settings for configuration (N/A means: not applicable).


[AH] Level alarm hysteresis +000.0100 -999.9999 - +999.9999 see [LD] 1

[HA] High level alarm +026.0000 -999.9999 - +999.9999 see [LD] 1

[HH] High high level alarm +026.1000 -999.9999 - +999.9999 see [LD] 2

[LA] Low level alarm +002.0000 -999.9999 - +999.9999 see [LD] 1

[LL] Low low level alarm +001.9000 -999.9999 - +999.9999 see [LD] 1

[RY] Relay alarm mode <HA-LA-> N/A N/A 2

[RZ] Relay mode <DEDE> N/A N/A 2






TABLE 3-3 Software settings (alarm relay settings) Relevant configuration details per item are described below.

Item [AH]. With this item a hysteresis is set around the alarm value. The default setting is 10 mm; in case of very turbulent product surface conditions, the hysteresis value can be set larger.

Item [HA]. With this item a high level alarm set point is given. Depending on the

setting of item [RY], this can be used in the “overfill protection”.

Item [HH]. With this item a high high level alarm set point is given. Depending on

the setting of item [RY], this can be used in the “overfill protection”.

Item [LA]. With this item a low level alarm set point is given. Depending on the

setting of item [RY], this can be used in the “underfill protection”.

Item [LL]. With this item a low low level alarm set point is given. Depending on the

setting of item [RY], this can be used in the “underfill protection”.

Item [RY].

This item ‘links’ two of the setting of items [HA], [HH], [LA] and [LL] to the

two alarm relays and defines the alarm mode.

The first three characters are related to alarm relay 1 and the last three

characters are related to alarm relay 2.


Safety Manual

Part No.: 4417808_Rev01

3 - 6

Implementation

The linking is straight forward: characters 1 and 2 (for alarm relay 1) and

characters 4 and 5 (for alarm relay 2) contain the alarm setting

according the item notation: HA, HH, LA or LL.

The alarm mode in character 3 (for alarm relay 1) and 6 (for alarm

relay 2) is one of the following characters with the meaning:

• T relay will always be active if alarm level is reached.

• - relay will only be active if alarm level is reached and there is no

test status active.

• W relay will only be active if alarm level is reached and there is no

test status active and there is no water dip measurement active.

Item [RZ]. This item defines the relay mode as follows:

Character 1 (for alarm relay 1) and character 3 (for alarm relay 2) sets

the operational mode: • E normally energized

• D normally de-energized

For safe fail operation, the normally energized operation mode must be

selected.

Character 2 (for alarm relay 1) and character 4 (for alarm relay 2) sets

the fail mode: • E energize relay on gauge fail

• D de-energize relay on gauge fail

For safe fail operation, the de-energized fail mode must be selected.

A fail safe operation of the alarm relay is obtained by using the Normally

Closed relay contact in combination with the Normally Energized

operation mode.

3.4.5 Configuration – Analog level output

TABLE 3-4 provides an overview of the applicable items and their settings for configuration (N/A means: not applicable).


[AM] Analog 4 mA level +000.0000 -999.9999 - +999.9999 see [LD] 1

[AN] Analog 20 mA level +000.0000 -999.9999 - +999.9999 see [LD] 1

[AK] Analog output mode <D> N/A N/A 1






TABLE 3-4 Software settings (analog level output)


Safety Manual 3 - 7

Implementation

Relevant configuration details per item are described below.

Item [AM]. This item contains the level value which must correspond to 4 mA.

Item [AN]. This item contains the level value which must correspond to 20 mA.

Item [AK]. This item selects under what conditions the analog output current will

operate. It contains one character and means:

• L Iout is set to 3.5 mA in case of invalid level or level fail and no

last valid level available.

• M Iout is set to 22 mA in case of invalid level or level fail and no last

valid level available.

• A Iout is set to 3.5 mA in case of level fail.

• B Iout is set to 22 mA in case of level fail.

• I Iout is set to 3.5 mA in case of level fail and invalid level.

• J Iout is set to 22 mA in case of level fail and invalid level.

When none of the above conditions is met with settings L, M, A, B, I or

J, the output current (Iout) reflects the level value.

The recommended fail safe condition for the analog output is with

setting I or J.

3.5 Verification of the Safety Instrumented Function(s)

To verify the correct functioning of the “overfill protection” and/or

“underfill protection” function, carry out the procedure of chapter 4.3

"Proof Testing".


Safety Manual

Part No.: 4417808_Rev01

3 - 8

Implementation

Maintenance Requirements


Safety Manual 4 - 1

CHAPTER 4 MAINTENANCE REQUIREMENTS

4.1 Purpose

This chapter provides the information that is relevant for correct

maintenance of the safety-related function(s) of the 854 ATG/XTG level

gauge.

4.2 Diagnostic items

To determine correct functioning of the “overfill protection” and/or “underfill protection” with the Servo Auto Test a number of diagnostic items are available.

TABLES 4-1 till 4-3 provides an overview of the applicable diagnostic

items and their corresponding value ranges (N/A means: not

applicable).


[PE] Level at which the Servo Auto

Test last failed

+999.9999 +999.9999 - +999.9999 see [LD] 1

[PL] Level at which the Servo Auto

Test was last executed

+999.9999 +999.9999 - +999.9999 see [LD] 1

[PX] Minimum level at which the

Servo Auto Test was performed

+999.9999 +999.9999 - +999.9999 see [LD] 1

[PY] Maximum level at which the

Servo Auto Test was performed

+999.9999 +999.9999 - +999.9999 see [LD] 1

[PZ] Highest number of Servo Auto

Test retries

0 0 - 9 N/A 1

[SN] Number of executed Servo Auto

Tests

00000 00000 - 99999 N/A 0

[SQ] Servo Auto Test status N/A N/A N/A 0

[SZ] Time elapsed since last Servo

Auto Test

00000 00000 - 99999 minutes 0






TABLE 4-1 Diagnostic parameters (related to Servo Auto test)



Safety Manual

Part No.: 4417808_Rev01

4 - 2

Item Description Default Min - Max values Eng. unit Prot. level 1

[RX] Relay status - - N/A N/A 0

[ES] Error SPU request 0000 0000 - 0999 N/A 0



TABLE 4-2 Diagnostic parameters (related to Alarm relays)

Item Description Default Min - Max values Eng. unit Prot. level 1

[AO] Analog output current @+.00000000E+00 @+.35000000E+01 –

@+.22000000E+02

mA 0

[AQ] Analog output status 0 N/A N/A 0

[EA] Error analog output xx00 2200 - 3399 N/A 0



TABLE 4-3 Diagnostic parameters (related to Analog level output)

Relevant details about these diagnostic items are described in chapter

4.3 "Proof Testing".

4.3 Proof Testing

To make sure that the safety rated loops remains SIL compliant a proof

test has to be performed. For proof test interval refer to chapter 2.4 and

Figure 2-1.

Points of attention:

• For Proof Testing opening of the 854 ATG/XTG is not required

unless test results or other findings demand internal maintenance

and/or repair.

• Proof Test procedure can be performed by Service Engineer from:

• the control system, using available diagnostic tools, such as

Engauge,

• as an alternative at the gauge, using a Portable Enraf Terminal

(PET).

• It is advised to compare the test results with historic data, if available.

In this way trends in behavior can be determined.



Safety Manual 4 - 3

Follow the steps below in the sequence given:

1. Determine that the examined gauges are certified for SIL compliant

“overfill protection” and/or “underfill protection”. If not OK - contact plant management for further action.

If OK - continue with the next step.

2. Determine the actual status and values of the relevant configuration

items for each gauge (refer to TABLES 3-2 and/or 3-3 and/or 3-4).

Record this data for later reference.

Make sure that the values of the configuration items comply with the

settings as conducted during commission and/or approved changes.

Pay special attention to item [SE] ‘Servo Auto Test enabled’; this

should have the default value [E], enabled. If not OK - contact plant management for further action.

If OK - continue with the next step.

3. Perform functional and performance test of the gauge in following

steps:

• Repeatability test,

• Balance test,

• Check status of servo auto test related items,

• Analysis of error codes and counters,

• Verification of Level measurement,

• Perform a test to activate the safety alarm through lock test or level simulation.

4. Analyze the results of step 3. above:

• look for unusual and/or exceptional behavior,

• compare the data with historical data, and look for trends,

• prepare a report for plant management; discuss any highlights,

• initiate preventive and/or corrective maintenance if necessary.

5. Reset the relevant diagnostic items to their default values.

This applies to the items that have a ‘Protection level 1’ (see TABLE

4-1).

6. Finally, execute the required certification renewal procedure.



Safety Manual

Part No.: 4417808_Rev01

4 - 4

Honeywell Enraf

Delftechpark 39

2628 XJ Delft

The Netherlands

Tel: +31 (0)15-2701 100

Email: [email protected]

www.honeywellenraf.com

4417808 - Revision 1

July 2015

© 2015 Honeywell International Inc.

mailto:[email protected]

