A1.2.6 repair and replacement, A1.2.7 startup time, A1.2.8 firmware update – Yokogawa EJX440A User Manual

<Appendix 1. Safety Instrumented Systems Installation>

A-2

IM 01C25T01-01E

Table A1.2.5 Proof Testing

Testing method

Tools required

Expected outcome

Remarks

Functional test:

1. Follow all Management of Change

procedures to bypass logic solvers if

necessary.

2. Execute HART/BRAIN command to

send value to high alarm (21.5 mA) and

verify that current has reached this level.

3. Execute HART/BRAIN command to

send value to low alarm (3.6 mA) and

verify that current has reached this level.

4. Restore logic solvers operation and

verify.

• Handheld terminal

Proof Test Coverage

=52%

The output needs to be

monitored to assure that the

transmitter communicates

the correct signal.

Perform three point calibration along with

the functional test listed above.

• Handheld terminal

• Calibrated pressure

source

Proof Test Coverage

=99%

A1.2.6 Repair and Replacement

If repair is to be performed with the process online

the EJX will need to be bypassed during the

repair. The user shall setup appropriate bypass

procedures.
In the unlikely event that the EJX has a failure,

the failures that are detected shall be reported to

Yokogawa.
When replacing the EJX, the procedure in the

installation manual shall be followed.
The personnel performing the repair or replacement

of the EJX shall have a sufficient skill level.

A1.2.7 Startup Time

The EJX generates a valid signal within 1 second of

power-on startup.

A1.2.8 Firmware Update

In case firmware updates are required, they

will be performed at factory. The replacement

responsibilities are then in place. The user will not

be required to perform any firmware updates.

A1.2.9 Reliability Data

A detailed Failure Mode, Effects, and Diagnostics

Analysis (FMEDA) report is available from

Yokogawa with all failure rates and failure modes.
The EJX is certified up to SIL2 for use in a simplex

(1oo1) configuration, depending on the PFDavg

calculation of the entire Safety Instrumented

Function.

The development process of the EJX is certified up

to SIL3, allowing redundant use of the transmitter

up to this Safety Integrity Level, depending

the PFDavg calculation of the entire Safety

Instrumented Function.
When using the transmitter in a redundant

configuration, the use of a common cause factor

(β-factor) of 2% is suggested. (However, if the

redundant transmitters share an impulse line or if

clogging of the separate impulse lines is likely, a

common cause factor of 10% is suggested.)
Note that the failure rates of the impulse lines need

to be accounted for in the PFDavg calculation.

A1.2.10 Lifetime Limits

The expected lifetime of the EJX is 50 years. The

reliability data listed the FMEDA report is only valid

for this period. The failure rates of the EJX may

increase sometime after this period. Reliability

calculations based on the data listed in the FMEDA

report for EJX lifetimes beyond 50 years may yield

results that are too optimistic, i.e. the calculated

Safety Integrity Level will not be achieved.

A1.2.11 Environmental Limits

The environmental limits of the EJX are specified in

the user’s manual IM 01C25.

A1.2.12 Application Limits

The application limits of the EJX are specified in the

user’s manual IM 01C25. If the transmitter is used

outside of the application limits, the reliability data

listed in A1.2.9 becomes invalid.