Emerson Process Management Website Home Emerson Corporate BusinessEmerson Corporate WebsiteSearch Emerson Corporate WebsiteEmerson Corporate BusinessesEmerson Corporate Investor Relations  
Search Emerson Process Management WebsiteEmerson Process Management PlantWebEmerson Process Management Industry CentersEmerson Process Management News & EventsEmerson Process Management ContactsEmerson Process Management Global Presence

1. How much or what parts of the transmitters do the safety certifications cover?

Pressure – The safety certification for the 3051S covers all of the transmitter up to and including the sensor diaphragm.

Temperature – The safety certification for the 3144P also covers the transmitter, and included in the FMEDA is the failure calculations for both RTD & Thermocouple sensors so that the users can calculate the PFDAVG and SFF for their installation.


2. How does Remote Diaphragm Seals or primary elements affect sensor PFD?

The addition of this hardware does not affect the actual sensor PFD as it is only up to the sensor diaphragms. The addition of these is an addition to the sensor PFD. Exida is a leading company in the safety systems and analysis has an online system at exida.com called SILver to calculate PFDs. They use the conservative estimates below in their calculations.
  Dangerous Undetected
Remote Seals 2.00E-7
Impulse line (low probability of plugging) 2.50E-6
Impulse line (medium probability of plugging) 5.00E-6
Impulse line (high probability of plugging) 7.50E-6


3. How does an RTD and T/C effect my PFD calculations?

How the safety calculations are effected by both type of sensor and dual sensor configurations can be found in the FMEDA. There are several examples for both types of sensors that help users determine the best type of installation for their safety system.


4. Can I use the FMEDA numbers directly off the report when doing PFD calculations for Prior-Use sensors?

Prior-Use requires the end user to calculate the PFD (inverse of the MTBF) for a given sensor in a given application. The PFD numbers in a FMEDA are not meant to be used directly. They are there as a conservative estimate for you to use to validate your MTBF calculation.


5. Exactly what failures does the FMEDA cover?

Failures can be put in to two major categories, random and systematic. Random failures are documented in the FMEDA. You have to trust your sensor supplier that their products do not have any systematic failures.


6. Are your transmitters Type A or Type B devices?

All of our smart transmitters are Type B devices. The difference between the two is a Type A device is an analog device in which all failure modes can be predicted and tested for. Type B devices have microprocessors in them which means it has software/firmware which can’t be tested for all failure modes.


7. Can I use only one transmitter in a SIL2 application?

IEC61511 does allow a decrease in Fault Tolerance by one for devices certified under IEC 61508. The decrease is not as clear as the Prior Use devices but just as true.

In section 11.4.5 of IEC 61511 there is a statement about alternative fault tolerance requirements that may be used in accordance with the requirements of IEC 61508, Table 2 and 3. Below is the actual section of IEC61511, Part 1, page 48.

Table 6 - Minimum hardware fault tolerance of sensors
and final elements and non-PE logic solvers

SIL Minimum hardware fault tolerance
(see 11.4.3 and 11.4.4)
1 0
2 1
3 2
4 Special requirements apply (see IEC 61508)

Alternative fault tolerance requirements may be used providing an assessment is made in accordance to the requirements of IEC 61508-2, Tables 2 and 3

Table 2 and 3 are located in Part 2, section 7.4.3.1.4, page 47, IEC 61508 and are fault tolerance tables. Transmitters fall under a type B safety-related subsystem, Below is the table.

Table 3 - Hardware safety integrity: architectural constraints
on type B safety-related subsystems

Safe failure fraction Hardware fault tolerance (see note 2)
0 1 2
<60% Not allowed SIL1 SIL2
60% - < 90% SIL1 SIL2 SIL3
90% - <99% SIL2 SIL3 SIL4
>99% SIL3 SIL4 SIL5
NOTE 1   See 7.4.3.1.1 to 7.4.3.1.4 for details on interpreting this table.
NOTE 2   A hardware fault tolerance of N means that N + 1 faults could cause a loss of the safety function.
NOTE 3   See annex C for details of how to calculate safe failure fraction.

One of the requirements for a transmitter to be certified under IEC61508 for SIL2 applications is that it has a Safe Failure Fraction greater than 90%. Since you have a SFF greater than 90% you would use the line on the chart with the red arrow to see what your fault tolerance would be. The fault tolerances of the line with the red arrow is one less than the fault tolerance specified in IEC 61511 which equates to taking a fault tolerance credit for a certified device.

Basically, the IEC 61511 Committee wanted to simplify the fault tolerance table of IEC 61508. So the IEC 61511 committee used the fault tolerances of a sensor or final element with a safe failure fraction of 60% - 90% to create the fault tolerance table. If you have a unit that qualifies under Prior Use or is certified per IEC61508 and has a clean interface to the process, you get a credit on IEC61511 table. In reality IEC 61511 assumes that either unit, Prior Use or Certified, has a safe failure fraction >90% and the fault tolerances should be adjusted accordingly.


8. Do many people take the Hardware Fault Tolerance Credit?

Not many. Although taking the fault tolerance credit decreases some cost, one less sensor, installation, start-up, and maintenance cost, it could decrease availability. It is difficult to tell a transmitter failure from a process failure using only the analog output of the transmitter. Using a single sensor can trip the safety system for a sensor fault. A voting system allows the process to continue and increases the Mean Time To Repair for a sensor failure which increases up-time.

This will change with the introduction of Smart SIS logic solvers. A Smart logic solver will be able to distinguish a sensor failure from a process failure. The Smart logic solver is smart enough to not trip the system for as sensor failure.


9. I see on your safety certificate that your transmitters are rated SIL2 for hardware and SIL3 for software. Why do you have and what difference does it make that you have SIL3 rated software?

Rosemount software development standards were high enough to get the SIL3 rating which are ten time more difficult to get than SIL2. And IEC 61508 is up for its five year review and it is anticipated that it will be a requirement that any device in a SIL3 SIF will be required to have SIL3 rated software.


10. What is the requirement for qualifying Prior-Use?

IEC 61511 gives a general outline of the requirements which are open to interpretation. The stated requirements are

  1. Consideration of the manufacturers’ Quality, management and configuration management systems
  2. Adequate identification and specification of the components or subsystems
  3. Demonstration of performance of the components or subsystems in similar operation profiles and physical environments
  4. Sufficient volume of operating experience

You can see some of the definitions by selecting the Are You Compliant button at this web site.

Here is some information we can provide from Rosemount, by requirement.

  1. Rosemount is ISO 9001 with a formal ECO system
  2. The hardware and software revision history is available on-line under prior-use documentation
  3. Although we can’t help you with process/installation information one can assume a high probability of similar application/installations by the number of sensors sold, the number of operating hours, and the number of failures. All this information is available under prior-use documentation.
  4. Sufficient volume of operating experience can be found under prior-use documentation.

11. Can I use application/failure data from another site?

Yes. But the installation, application, hardware, software, and stressors should be the same at the originating site as the site that is going to use it.


12. Can a manufacturer qualify a product under Prior-Use?

No. One of the requirements for prior-use is that process information be documented. Manufacturers do not have process history.


13. Where do I find proof-test requirements?

For certified products, proof-test requirements are located in the safety manual. All safety certified products have safety manuals as they are a mandatory component of certification. You will find them located in the instruction manual or the Quick Installation Guide (QIG).

For Prior-Use products safety manuals are not required. Rosemount Quick Installation Guides for non certified products are being updated with safety manuals to help you more easily document proof-test.


14. Does a Safety Certified sensor require any kind of physical or color marking on the outside of it indicating it is certified?

No. The standard has no such requirement. But to make it easier for you to recognize our products, all Rosemount safety certified transmitters have a yellow wire-on tag.



Emerson Process Management, Rosemount Division, 8200 Market Blvd. Chanhassen, MN USA 55317
North America: 1-800-999-9307    International: 952-906-8888  Fax:  952-949-7001


Contact Emerson Process Management,
Rosemount Division


Last Updated 07/10/07


© Emerson, 1996-2007
Legal and Privacy Statements