SD00008R/09/EN/13.

13 Products Solutions Services

71238238

Functional safety manual

RN221N
Active barrier

Application Your benefits

Galvanic isolation of 4 to 20 mA current circuits and powering
• Used in safety relevant applications to satisfy particular safety
2-wire transmitters, when used in safety relevant applications
systems requirements up to SIL 2
to satisfy particular safety systems requirements as per
– independently evaluated (Functional Assessment) by
IEC 61508:2010 (Edition 2.0).
exida.com as per IEC 61508-2:2010 (Edition 2.0)
The measuring device fulfills the requirements concerning
• Functional safety as per IEC 61508:2010 (Edition 2.0)
• Explosion protection (depending on the version)
• Electromagnetic compatibility as per EN 61326 series
• Electrical safety as per IEC/EN 61010-1.
 RN221N

Table of contents

SIL Declaration of Conformity . . . . . . . . . . . . . . . . . . . . 5

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Measuring system design. . . . . . . . . . . . . . . . . . . . . . . . 7

System components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Description of the application as a safety-instrumented system .
7
Permitted device types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Further applicable device documentation RN221N . . . . . . . . . . 8

Description of safety requirements and boundary

conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Safety function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Restrictions for use in safety-related applications . . . . . . . . . . . 8
Functional safety parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Proof-test interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Proof tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Proof tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Procedure for proof test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Commissioning or proof-test protocol . . . . . . . . . . . . . . . . . . . . 11

Exida.com management summary . . . . . . . . . . . . . . . 12

Declaration of Hazardous Material and De-

Contamination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3
RN221N

SIL Declaration of Conformity

5
 RN221N

6
RN221N

Introduction
Introduction General information on functional safety (SIL) is available at: www.de.endress.com/SIL (Ger-
man) or www.endress.com/SIL (English) and in the Competence Brochure CP002Z "Func-
tional Safety in the Process Industry - Risk Reduction with Safety Instrumented Systems".

Measuring system design

System components The diagram below displays a measuring system with exemplary devices.

Sensor
Active barrier Receiver Actor
(e.g. temperature
(e.g. RN221N) (e.g. PLC) (e.g. valve)
measuring device)
PFD... ≤ 10%
A0022109-EN

Part of the active barrier at the "average probability of failure on demand of a safety-related system" (PFDavg)

This documentation treats the RN221N as part of the safety function.

Together, the sensor, active barrier, logic unit and actuator form a safety-related system, which carries
out a safety function. The "average probability of failure on demand of the entire safety-related system"
(PFDavg) is divided among the sensor, process transmitter, logic unit and actuator sub-systems.

Description of the application

as a safety-instrumented Logic unit
system 4…20 mA e.g. PLC, Actuator
limit signal generator
etc.

ENDRESS+HAUSER

Active barrier
RN 221 N

RN221N

Sensor e.g.
temperature transmitter

A0022110-DE

Example for "limit value monitoring" application

Powered by the active barrier RN221N, the sensor generates an analog signal (4 to 20 mA) that is
proportional to the measured value. The analog signal is fed to a downstream logic unit via the active
barrier RN221N, such as a PLC or limit signal generator and is monitored there to determine whether
is exceeds a maximum value.

Permitted device types The functional safety assessment described in this manual applies to the device versions listed below
and is valid from the stated software and hardware versions.

Valid hardware version (electronics): from 01.00.02

In the event of device modifications, a modification process compliant with IEC 61508 is applied.
Unless otherwise indicated, all subsequent versions can also be used for safety-instrumented systems.

7
 RN221N

Device versions valid for use in safety-related applications:

Feature Designation Version

010 Approval all

020 Power Supply; Diagnostics J, 1

Further applicable device Documentation Contents Remark

documentation RN221N
Technical Information • Technical data
TI073R/09 • Notes on accessories

Brief operating instructions • Identification

KA124R/09 • Installation
• Wiring
• Operation
• Commissioning
• Maintenance
• Accessories
• Troubleshooting
• Technical data
• Appendix: Presentation of menus

Safety instructions depending on Safety, installation and operating Additional safety instructions (XA,
the chosen "Approval" feature instructions for devices, which are XB, XC, ZE, ZD) are supplied with
suitable for use in potentially certified device versions. Please
explosive atmospheres refer to the nameplate for the
relevant safety instructions.

Description of safety requirements and boundary condi-

tions
Safety function When used as part of a safety function the measuring signal of the output side (O+, O- or O+H) 4 to
20 mA can be used.

Safety-related signal
The safety-related signal is the 4 to 20 mA measurement output signal. All safety functions solely refer
to this output signal.
The safety-related output signal or the limit relays are sent to a downstream logic unit, e.g. a
programmable logic controller or a limit signal transmitter, and monitored there to establish if:
• A specified limit has been overshot
• A fault has occurred, e.g. error current in accordance with Namur recommendation 43 (≤ 3.6 mA,
≥ 21 mA, signal cable disconnection or short-circuit).

Restrictions for use in safety- • The designated use of the measuring system and environmental conditions must be observed.
related applications • Notes on critical process situations and installation conditions from the operating instructions
(chapter 4 in KA124R/09) have to be observed.
• Observe application-specific restrictions.
• The specifications from the Operating Instructions must not be violated.
• The device must be secured against unintentional operation / modification.
• A complete function test of the safety-related functions has to be carried out during commissioning.
MTTR is set to 24 hours.
Safety-related systems without self-locking function must be brought to a monitored or
otherwise safe state within MTTR after executing the safety function.

8
RN221N

Functional safety parameters The table shows specific parameters relating to functional safety:

Parameter as per IEC 61508 RN221N-xJ, RN221N-x1

Protection function Measuring signal (output side) 4 to 20mA

SIL AC 2
HFT 0
Device type A
Operating mode Low and high demand mode
MTTR 24 hours
Recommended proof-test interval T[Proof] 1 year

SFF 75 %
λSD 0 FIT
λSU 0 FIT
λDD 206 FIT
λDU 66 FIT
λTotal *1 272 FIT
PFDavg (for T[Proof] = 1 year) *2 3.2 x 10-4
PFH 6.62 x 10-8 1/h
MTBF *1 286 years

*1 This value takes into account all failure types. Failure rates of electronics components in accordance with
Siemens SN29500. (see "Management summary - optional")
*2 Where the average temperature when in continuous use is in the region of 50 °C, a factor of 1.3 should be
taken into account. For further information, see "Management summary - optional".

Proof-test interval
PFD PFDavg
10-0

10-1

10-2
PFD

10-3

10-4

10-5
0 1 2 3 4 5 6 7 8 9 10
Years
A0022354-EN

Proof-test interval depending on the PFDavg

Operating life of electrical components

The underlying failure rates of electrical components apply within the usable operating life in
accordance with IEC 61508-2:2010 Section 7.4.9.5 Note 3.
According to DIN EN 61508-2:2011 Note 3 N3), longer operating life spans can be reached
through suitable measures by the manufacturer and the operator.

9
 RN221N

Installation Installation, wiring, commissioning

Installation, wiring and commissioning of the device are described in the Brief Operating Instructions
KA124R/09.

Maintenance No special maintenance work is required on the device.

Proof tests
Proof tests Safety functions must be tested at appropriate intervals to ensure that they are functioning correctly
and are safe. The intervals must be specified by the operator.
The "Proof-test interval depending on the PFDavg" graphic can be used for this purpose.
The device proof test can be performed as follows:

Procedure for proof test 1. Bypass the logic unit or take other suitable measures to prevent an unwanted reaction in the
process.
2. Simulate several defined limit values across the entire range and verify that the output or the limit
relays go to a safe state.
3. Restore the complete operational capability of the loop.
4. Disable bypassing of the logic unit or restore normal operation in some other way.
This test detects approx. 99% of all possible "du" (dangerous undetected) failures of the RN221N active
barrier.
NOTICE
The device may no longer be used as part of a safety-instrumented system if one of the criteria
of the test procedures described above is not fulfilled.
‣ The proof test is used to detect random device failures. It does not cover the influence of systematic
faults on the safety function, which must be checked separately. Operating conditions or corrosion,
for example, can cause systematic faults.

Repair
Repair All repairs to the RN221N must be carried out by Endress+Hauser only.
In the event of failure of a SIL-labeled Endress+Hauser device, which has been used in a safety-
instrumented system, the "Declaration of Hazardous Material and De-contamination", with the
corresponding note "Used as SIL device in a Safety Instrumented System", must be enclosed when the
defective device is returned.
Please read the information in the Section "Return" of the appropriate Operating Instructions".

10
RN221N

Appendix
Commissioning or proof-test System-specific data
protocol
Company

Measuring points / TAG no.

System

Device type / order code

Serial number of device

Name

Date

Password (if device-specific)

Signature

Device-specific commissioning parameters

Proof-test protocol

Test stage Measurement signal (output)

Set point Actual

Jumper current input Current: ≤ 3.6 mA or ≥ 21mA

Connect multimeter (accuracy class 1) to output (O+, O- or O+H)

Impress a current value of x mA on current input (I+, I-)

Read the current/voltage value at the output and

record it (set point e.g. x mA +/- 0.3 mA)

11
 RN221N

Exida.com management summary

Failure Modes, Effects and Diagnostic Analysis

Project:
Active Barrier preline RN 221N

Customer:
Endress+Hauser Wetzer GmbH + Co. KG
Nesselwang
Germany

Contract No.: E+H Wetzer 13/03-087

Report No.: E+H Wetzer 13/03-087 R012
Version V2, Revision R1; July 2013

Stephan Aschenbrenner

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights on the format of this technical report reserved.

12
RN221N

Management summary
This report summarizes the results of the hardware assessment carried out on the Active
Barrier preline RN 221N with hardware version as shown in the referred circuit diagrams (see
section 2.5.1).
The hardware assessment consists of a Failure Modes, Effects and Diagnostics Analysis
(FMEDA). A FMEDA is one of the steps taken to achieve functional safety assessment of a
device per IEC 61508. From the FMEDA, failure rates are determined and consequently the
Safe Failure Fraction (SFF) is calculated for the device. For full assessment purposes all
requirements of IEC 61508 must be considered.
The failure rates used in this analysis are the basic failure rates from the Siemens standard
SN 29500. This failure rate database is specified in the safety requirements specification from
Endress+Hauser Wetzer GmbH + Co. KG for the Active Barrier preline RN 221N.
The listed failure rates are valid for operating stress conditions typical of an industrial field
environment similar to IEC 60654-1 class C (sheltered location) with an average temperature
over a long period of time of 40ºC. For a higher average temperature of 60°C, the failure rates
should be multiplied with an experience based factor of 2.5. A similar multiplier should be used
if frequent temperature fluctuation must be assumed.
1
The Active Barrier preline RN 221N can be considered to be a Type A element with a
hardware fault tolerance of 0.
It is assumed that the connected safety logic solver is configured as per the NAMUR NE43
signal ranges, i.e. the Active Barrier preline RN 221N with 4..20 mA current output
communicates detected faults by an alarm output current ” 3.6mA or • 21mA. Assuming that
the application program in the safety logic solver does not automatically trip on these failures,
these failures have been classified as dangerous detected failures. The following table shows
how the above stated requirements are fulfilled.

1
Type A element: “Non-complex” element (all failure modes are well defined); for details see 7.4.4.1.2 of
IEC 61508-2.
© H[LGDFRPGmbH E+H Wetzer 13-03-087 R012 V2R1.doc, July 15, 2013
Stephan Aschenbrenner Page 2 of 18

13
 RN221N

Table 1 Summary for RN 221N – IEC 61508 failure rates

Failure category Siemens SN 29500 [FIT]

λSD)
Fail Safe Detected (λ 0
λSU)
Fail Safe Undetected (λ 0
λDD)
Fail Dangerous Detected (λ 206
Fail Dangerous Detected (λdd) 0
Fail High (λH) 79
Fail Low (λL) 127
λDU)
Fail Dangerous Undetected (λ 66

No effect 117
No part 8

λTotal)
Total failure rate of the safety function (λ 272
2
Safe failure fraction (SFF) 75%
DCD 75%

SIL AC 3 SIL 2

The failure rates are valid for the useful life of the Active Barrier preline RN 221N (see
Appendix 2).

2
The complete sensor element will need to be evaluated to determine the overall Safe Failure Fraction. The number
listed is for reference only.
3
SIL AC (architectural constraints) means that the calculated values are within the range for hardware architectural
constraints for the corresponding SIL but does not imply that all related IEC 61508 requirements are fulfilled.
© H[LGDFRPGmbH E+H Wetzer 13-03-087 R012 V2R1.doc, July 15, 2013
Stephan Aschenbrenner Page 3 of 18

14
RN221N

Declaration of Hazardous Material and De-

Contamination

15
www.addresses.endress.com