Functional safety manual

Gammapilot M
FMG60
Radiometric measurement technology

Application Your benefits

Overfill protection or maximum level limit monitoring of
• For overfill protection up to SIL 3
all types of liquids and bulk solids in tanks, to satisfy the
– independently assessed (Functional Safety
particular requirements for safety-related systems as per
Assessment) by TÜV Rheinland and exida.com in
IEC 61508.
according to IEC 61508
The measuring device meets the following requirements • Permanent self-monitoring
• Functional safety in accordance with IEC 61508 • Safe parameterization concept
• Explosion protection (depending on version)
• Electromagnetic compatibility as per EN 61326 and
NAMUR recommendation NE 21
• Electrical safety in accordance with IEC/EN 61010-1

SD230F/00/en/10.07
71041846
 Gammapilot M

Table of contents

SIL Declaration of Conformity . . . . . . . . . . . . . . . . . . . 3

General information . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Structure of measuring system

with Gammapilot M FMG60 . . . . . . . . . . . . . . . . . . . . 4
Level limit detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Valid device types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Applicable device documentation . . . . . . . . . . . . . . . . . . . . . . . . . 5

Description of safety requirements

and boundary conditions . . . . . . . . . . . . . . . . . . . . . . . 6
Safety function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Restrictions for use in safety-related applications . . . . . . . . . . . . . 7
Functional safety parameters (SIL 2) . . . . . . . . . . . . . . . . . . . . . . . 8
Behavior of device when in operation and in case of failure . . . . . 9
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Maintenance, recalibration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Proof-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Functional safety parameters (SIL 3) . . . . . . . . . . . . . . . . . . . . . . 18

Calibration Record. . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Management summary . . . . . . . . . . . . . . . . . . . . . . . 24

Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Endress+Hauser
Gammapilot M

SIL Declaration of Conformity

SIL-Konformitätserklärung
Funktionale Sicherheit nach IEC 61508

SIL Declaration of Conformity

Functional safety according to IEC 61508

Endress+Hauser GmbH+Co. KG, Hauptstraße 1, 79689 Maulburg

erklärt als Hersteller, dass der Kompakttransmitter zur berührungslosen

Grenzstanderfassung (Seriennummer XXXXXXXXXXX)
declares as manufacturer, that the compact transmitter for non-invasive
limit detection (Serial number XXXXXXXXXXX)
Gammapilot M FMG60

für den Einsatz in Schutzeinrichtungen entsprechend der IEC 61508 geeignet ist, wenn die
Sicherheitshinweise und nachfolgende Parameter beachtet werden:
is suitable for the use in safety-instrumented systems according to IEC 61508, if the safety instructions

e
and following parameters are observed:
Gerät/Product Gammapilot M
FMG60
Schutzfunktion/Safety Function
SIL
HFT
1)

Gerätetyp/Device type
Betriebsart/Mode of Operation
pl 2
Maximumdetektion/Maximum Detection

0
B
Low Demand Mode
3
3)
am
SFF 96%
MTTR 8h
1) -4
PFDavg TI = 1 Jahr/year 4,04 × 10
1) -3
PFDavg TI = 5 Jahre/years 2,02 × 10
Prüfintervall/Proof test interval empfohlen/recommended TI = 1 Jahr/year
Osd 577 FIT
Osu 655 FIT
Odd 1316 FIT
Ex

Odu 92 FIT
2)
MTBF 35 Jahre/years
1)
Die Werte entsprechen SIL 2 nach ISA S84.01 / The values comply with SIL 2 according to ISA S84.01
PFDavg –Werte für andere TI -Werte siehe Handbuch zur Funktionalen Sicherheit /
PFDavg –values for other TI -values see Functional Safety Manual
2)
Gemäß Siemens SN29500 /According to Siemens SN29500
3)
SIL 3 bei homogen redundantem Einsatz. Sicherheitstechnische Kenngrößen siehe Handbuch zur Funktionalen Sicherheit /
SIL 3 for homogeneous-redundant application. Safety-related parameters see Functional Safety Manual.

Das Gerät wurde in einem vollständigen Functional Safety Assessment unabhängig bewertet.
The device was assessed independently in a complete Functional Safety Assessment.

SIL_07001b_00_a2_Example

Endress+Hauser 3
 Gammapilot M

General information
! Note!
General information about functional safety (SIL) is available at www.endress.com/SIL and in the
competence brochure CP002Z "Functional safety in the Process Industry - risk reduction with Safety
Instrumented Systems".

Structure of measuring system with Gammapilot M

FMG60
Level limit measuring system
The following diagram shows an example of the measuring system in use.

Gammapilot M Gammapilot M

SD230xx01

Level limit detection The measuring system consists of a sensor and a gamma radiation source.
Level limit detection takes place when a guided gamma ray is interrupted or attenuated by the medium which
is being monitored and this interruption or attenuation is detected.
Typical measurement setup:

Gamma Gamma
radiation radiation
source Useful beam Gammapilot M source Useful beam Gammapilot M
interrupted
Signal Signal
“empty” “full”

Medium Medium

Tank Tank

SD230en02

In the transmitter (Gammapilot M), an analog signal (4 to 20 mA) proportional to the level is generated.
This signal is sent to a logic unit located downstream from the transmitter (e.g. PLC, limit signal transmitter)
and is monitored there to ensure it does not exceed a maximum value.
An individual gamma radiation source is recommended for each level limit detection. The path of the beam
should be adapted to the dimension of the measuring length used.
When using multiple detectors with 1oo2 or 2oo3 votings, the height of the detector arrangement with regard
to the switch point must also be taken into account.

4 Endress+Hauser
Gammapilot M

Valid device types The information in this manual pertaining to functional safety applies to the device versions listed below and
is valid from the stated software and hardware versions.
Unless otherwise indicated, all subsequent versions can also be used for safety functions. Device versions valid
for use in safety-related applications:

FMG60 - Designation Version

abcdefghk

a Certificates all

b Power supply all

c Wiring A, B, E, J, K, L C, D, F, G, H
1 2
* *
d Output 1 (4 to 20 mA HART)

e Scintillator / measuring range G, H, J, K (200 mm and 400 mm PVT)

f Material all

g Cable entry power supply all

h Cable entry output all

k Additional option B (SIL 2/SIL 3 IEC61508 declaration of conformity, level limit)

Valid software version: from 01.02.00

Valid hardware version (electronics): *1 from 30.04.2007; *2 in preparation

Applicable device Documentation Contents Note

documentation
Technical Information TI363F/00 – Technical data
(Gammapilot M FMG60) – Information on accessories

Operating Instructions BA236F/00 – Identification

(Gammapilot M FMG60) – Mounting
– Wiring
– Operation
– Commissioning
– Maintenance
– Accessories
– Troubleshooting
– Technical data
– Appendix: Diagram of menus

Operating Instructions BA287F/00 – Description of operating concept This document can be found in the
(Gammapilot M FMG60) – Description of device functions form of a PDF file on the
Description of device functions "ToF Tool - FieldTool Package"
CD-ROM provided.

KA202F/00 – Usage Use of the separate display/operating

(separate operating and – Mounting unit is optional.
display unit FHX40) – Commissioning

KA253F/00 – Usage and application guidelines To ensure safe, mechanical

(Mounting device FHG60 attachment, the mounting device
for Gammapilot M FMG60) FHG60 is recommended for safety-
related applications.
Alternative, equivalent devices are
used at the operator's risk.

Safety information depending
on the type of certificate chosen
– Safety, mounting and operating
instructions for devices suitable
for use in hazardous areas or as
overflow protection (WHG).
For certified device versions,
additional safety information
(XA, XB, XC, ZE, ZD) is provided.
The nameplate indicates which safety
information applies to your device
version.

Technical Information TI423F/00 – Technical data Use of modulator FHG65 in

(Modulator FHG65 - in preparation) – Mounting, wiring conjunction with FMG60 for the
suppression of interference radiation
("modulated mode")

Endress+Hauser 5
 Gammapilot M

Description of safety requirements and boundary

conditions
Safety function The safety function of the measuring system is maximum level limit monitoring (overfill protection).
The radiometric measuring system does not come into contact with the medium.

! Note!
To activate the safety functions, the Gammapilot M must be locked directly after calibration (see Section
"Method for device parameterization" → ä 14).

Safety-related signal:
The safety-related signal of the Gammapilot M FMG60 is the analog output signal 4 to 20 mA.
All safety measures are based exclusively on this output.
In addition, the Gammapilot M communicates non safety-related informations via HART and contains all
HART characteristics with additional device information.
The Gammapilot M generates an analog signal (4 to 20 mA) proportional to the pulse rate. This signal is sent
to a logic unit located downstream, e.g. a programmable logic controller or a limit signal transmitter, and
monitored there to establish if:
– a predefined level limit is exceeded
– an error occurs (e.g. error current in accordance with NE 43 (≤ 3.6 mA, ≥ 21 mA, interruption or short-
circuiting of signal line).
In addition to the analog signal path for the output current, the Gammapilot M has a redundant, internal, digital
signal path. Both paths are monitored permanently by the Gammapilot M. This results in the following behavior
of the output current:

Electronic partial stroke test

Current

(analog signal path test)

15 s Analog signal 4...20 mA
+1,6 mA

< 3.6 mA
(typically
2.4 mA)
250 ms
Digital signal path test

Time t
SD230en05

• Electronic partial stroke test (analog signal path test):

This is a cyclical life test of the analog signal path. For this test, the output current is increased by 10 % of
the measuring range (1.6 mA) up to a maximum of 20 mA every 2 minutes for 15 seconds.
Safe level limit detection is not affected by the hysteresis that has to be configured in the PLC
(see "Configuration of switch point and hysteresis" → ä 16).
This signal path can be used to permanently monitor and detect the correct safety-related configuration and
correct functioning of the Gammapilot M.

• Digital signal path test:

This is a cyclical life test of the digital signal path. For this test, the output current is set to a value < 3.6 mA
(typically 2.4 mA) every 2 minutes for 250 ms. The test is designed in such a way that this current value is
not interpreted as an error by the evaluation unit located downstream.
According to NE 43 §7, for example, a signal on alarm is not to be recognized as such unless it lasts at least
4 seconds.

6 Endress+Hauser
Gammapilot M
Restrictions for use in
safety-related applications
Endress+Hauser
– The use of the Gammapilot M is permitted only for maximum level limit detection with a PVT scintillator of
length 200 mm and 400 mm.
– For permitted mounting positions, see "Orientation" → ä 12.
– Sustained or temporary vibrations and shocks may influence the measuring signal and should therefore be
avoided if possible. This can, for example, be done by mounting the Gammapilot M in such a way that it is
decoupled from the source of vibration.
– The Gammapilot M may only be used in "stand-alone" mode or in "level limit" mode. The interconnection
of several detectors in a cascade is not permitted.
– In order to ensure interference freeness, series connection is not permitted in HART multidrop mode.
– The absorption of radiation by the contents of the tank must be at least 3 half-value layers. For example, in
the case of water, this means a minimum internal tank diameter of 24 cm for 137Cs and 33 cm for 60Co.
– The change in pulse rate caused by the product (difference between "empty" and "full") must not be less than
500 cps (counts per second) during the entire service life. When setting up the radiation source, the decay
of the gamma radiation source during the service life must be taken into account.
Empty calibration (cps) – Full calibration (cps)
Permitted service life = –1 • Half-life
500 cps
Example:
• Empty calibration: 1500 cps
• Full calibration: 0 cps
• Half-life 60Co: approx. 5.3 years
• Permitted service life: 10.6 years
– To ensure the reliability of decay compensation, only 137Cs and 60Co radiation sources, which do not contain
any foreign isotopes with longer or shorter half-lives, may be used.
– Measurements of self-emitting media are permitted only in modulated mode (using modulator FHG65).
– Background radiation must not exceed 8,000 cps.
– The maximum pulse rate for empty calibration must not exceed 60,000 cps.
– The pulse rate for full calibration must always be lower than the pulse rate for empty calibration.
– In the case of pressurized tanks, the effect of the pressure on the safety function must be considered
separately. Pressurized gas phases may affect the absorption of radiation due to the change in their density.
– Strong magnetic fields in proximity to the Gammapilot M may result in a reduction in the pulse rate.
If necessary, protective measures must be taken.
7
 Gammapilot M

Functional safety parameters The table shows the specific functional safety parameters for single-channel device operation *3:
(SIL 2)
Parameters according to IEC 61508 Value

Safety function Maximum level limit monitoring

SIL 2
HFT 0

Device type B

Mode of operation Low demand mode

SFF 96 %

MTTR 8h

T1 Proof-test interval; see chart

PFDavg for T1 = 1 year *2 4.04 × 10-4

λsd 577 FIT

λsu 655 FIT

λdd 1316 FIT

λdu 92 FIT

λtot *1 3258 FIT

MTBF *1 35 years
*1 According to Siemens SN29500. This value takes into account all failure types (see "Management summary" → ä 24).
*2 Where the average temperature when in continuous use is in the region of 50 °C, a factor of 1.3 should be taken into
account. For further information, see "Management summary" → ä 24.
*3 For multichannel device operation, see the "Appendix" → ä 18.

1oo1D

2,5E-03

2,0E-03

1,5E-03
PFDavg

1,0E-03

5,0E-04

0,0E+00
0 1 2 3 4 5
Proof-test interval (years)
SD230en07

Proof-test interval

Dangerous undetected failures in this scenario:

A dangerous, undetected failure is defined as an incorrect output signal which deviates from the real measured
value by more than 10 %, with the output signal remaining within the range of 4 to 20 mA.

Internal diagnosis time:

The internal diagnosis time of the Gammapilot M is 10 minutes. During this time, all internal safety functions
are executed at least once.

8 Endress+Hauser
Gammapilot M

Useful lifetime of electrical components:

The underlying failure rates of electrical components apply within the useful lifetime in accordance with
IEC 61508-2 Section 7.4.7.4 Note 3.

! Note!
Correct installation is key to the safe operation of the Gammapilot M.

Behavior of device when in Behavior of device when switched on

operation and in case of failure
Once it has been switched on, every Gammapilot M goes through a diagnosis phase lasting maximum
120 seconds.
During this time, the current output is at error current ≤ 3.6 mA.
During the diagnosis phase, communication via the display interface or via HART is not possible.

Once the diagnosis phase has been successfully completed, an uncalibrated device sets the current output to
error current ≥ 21 mA and retains this value until calibration has been completed.
Once calibration has been successfully completed, the device switches to measuring mode (current output:
4 to 20 mA).
If an internal device error is detected during the diagnosis phase, the current output remains at error current
≤ 3.6 mA.
If an internal device error is detected during calibration, the current output remains at error current ≥ 21 mA.
Once the diagnosis phase has been successfully completed, an already calibrated device switches to
measuring mode (current output: 4 to 20 mA). Otherwise, it remains at error current ≤ 3.6 mA.

! Note!
• If a calibrated Gammapilot M is cut off from its power supply, the internal clock is buffered for at least 6 days.
After this time, it may be necessary to reenter the current date and time. This is indicated by error current
≥ 21 mA and error message A635.
To enter the date and time, the device must be unlocked and then locked again (see Operating Instructions
BA236F/00 Appendix "Operating menu for level limit detection").
• To activate the safety functions, the Gammapilot M must be locked directly after calibration (see "Method
for device parameterization" → ä 14).

Behavior of device on demand

Once the maximum level is reached, the radiation is absorbed by the medium in the tank. The output current
is set to 20 mA. The rise time corresponds to the configured output damping τ (1 to 999 s; default value 6 s)
plus the device-internal dead time. The device-internal dead time is dependent on the configuration of the
"Beam type" function.

Setting Menu selection "Basic setup", Function "Beam type" Device-internal dead time
Standard 1s

Modulated 4s

" Caution!
Please also note the Section "Output damping" in the Operating Instructions BA236F/00.

Endress+Hauser 9
 Gammapilot M

Behavior of device in the event of alarms and warnings

Error current
The output current in the event of an alarm is fixed at a value ≥ 21 mA.

In some cases output currents ≤ 3.6 mA may occur (e.g. if the power supply fails or a line breaks or if there is
an error in the current output itself and the error current ≥ 21 mA can not be set).
For alarm monitoring, the logic unit must therefore be able to detect HI alarms (≥ 21 mA) and LO alarms
(≤ 3.6 mA).

Alarm and warning messages

The alarm and warning messages, which are output as error codes, provide additional information. The
following table shows the correlation between the error code and the current output:

Error code *1 Current output (message type) Note

Axxx ≥ 21 mA or ≤ 3.6 mA (alarm) xxx = three-digit number

Wxxx corresponding to measuring mode xxx = three-digit number

A692 ≥ 21 mA (alarm) Gammagraphy detected (alarm)

W693 3.8 mA ± 0.05 mA (warning) Gammagraphy detected (warning)

W640 ≤ 3.6 mA (SIL lock device W640) Locking sequence in operation

1
* The error codes are listed in the Operating Instructions BA236F/00, Section "Error codes".

Behavior of device in the event of interference radiation

The Gammapilot M provides two methods for dealing with interference radiation caused by non-destructive
material testing for example.

Detection of interference radiation (gammagraphy)

When the Gammapilot M is used in safety-related applications, the pulse rate is monitored to ensure that it
stays within the calibrated range. If the pulse rate is greater than the calibration value for "empty" or less than
the calibration value for "full", the current output switches to 3.8 mA for the duration of the configured hold
time of maximum 999 s.
An overfill can not be detected during this time.
If the pulse rate is still outside the calibrated range when the hold time elapses, the Gammapilot M switches
to alarm condtion until the pulse rate is again inside the calibrated range between full and empty calibration.

" Caution!
If x-ray tests are carried out within the sytem or in its immediate vicinity, or if any other sources of interference
are present, alternative measures must be taken to maintain safety during the hold time.

10 Endress+Hauser
Gammapilot M

Suppression of interference radiation using the Gamma-Modulator FHG65 (in preparation)

The Gammapilot M can suppress interference radiation when used in conjunction with the Gamma-modulator
FHG65. The useful radiation is switched on and off periodically by the modulator using a fixed frequency.
The Gammapilot M can filter this alternating portion out of the total radiation as a measured value. This does
not entail any interruption to measurement or level limit detection as in the case of basic gammagraphy
detection.
The following diagram shows, for example, a comparison between pulse rates with and without the
suppression of interference radiation.

Behavior in the event of interference radiation

35000

30000

25000
Pulse rate [cps]

20000

15000

10000

5000

0
0 90 180 270 360 450
Time [s]

without suppression of interference radiation

with suppression of interference radiation

SD230en08

Measuring signal of Gammapilot M in the event of interference radiation, for example

This function suppresses all sources of interference radiation, regardless of the source of useful radiation in use,
up to a local dose rate of approx. 50 μSv/h at the Gammapilot M (depending on detector length and the source
of interference involved).
Higher local dose rates can lead to a reduction in the detected pulse rate due to the statistical superposition of
pulses. This means that, for example, non-destructive material testing using gamma sources in the direct
vicinity of the Gammapilot M may lead to an overflow signal. Therefore, in these cases too, the Gammapilot M
is guaranteed to behave in a fail-safe manner.

! Note!
• The failure of the modulator (e.g. due to power failure) in this mode of operation, results in the Gammapilot
M having a higher output current (max. 20.5 mA) and is therefore fail-safe.
• In this operating mode of the Gammapilot M, modulator failure during the calibration of the measuring point
may cause the error message A692 "Gammagraphy detected" in the subsequent measuring mode.

Endress+Hauser 11
 Gammapilot M

Installation Mounting, wiring and commissioning

The mounting, wiring and commissioning of the Gammapilot M is described in the Operating Instructions
BA236F/00.

! Note!
• When the device is being used in safety-related applications, the "Cascade in", "Cascade out" and "PT100"
terminals must not be wired (for terminal assignment, see Operating Instructions BA236F/00, Section
"Terminal assignment").
• To ensure system safety, it is recommended that safety-related and non-safety-related devices and functions
be kept strictly separate.

Orientation
Permitted orientations:
– Horizontal and at right angles to the direction of radiation (recommended due to higher sensitivity)
– Horizontal with frontal irradiation
The FMG60 must be positioned in the radiation path in such a way that the scintillator is completely irradiated.
The position and length of the scintillator is indicated by markings on the housing pipe.
It is permitted to use a water cooling jacket or additional coverings on the detector as protection from the sun
or weather. As additional coverings can affect the measuring signal due to backscatter, the measuring point
must not be calibrated until installation is complete.
The water cooling jacket must be filled completely during calibration. The flow values and limit temperature
values listed for water cooling in the Operating Instructions must be observed.
If several radiometric measuring points are in use, pay attention to the orientation of the sources and the
arrangement of the detectors to ensure that they do not interfere with each other.

Notes on the redundant use of multiple detectors

This section provides additional information on the use of multiple detectors in 1oo2 or 2oo3 votings for safety-
related level limit detection:
– Only one radiation source may be used per measuring point.
– The following parameters must be configured identically when using multiple detectors:
Isotope, beam type, gammagraphy hold time, output damping, current date.
For background calibration as well as full and empty calibration, the same requirements that apply for single-
channel arrangement apply for each detector.
– Installation with 1oo2 voting and detectors arranged one above the other:

Note!
The position of the upper detector determines the most unfavorable switch point.

12 Endress+Hauser
Gammapilot M

– Installation with 1oo2 voting and detectors arranged horizontally beside one other:

Detector A X

Detector B

Note!
• Due to the limited beam path geometry, this detector arrangement can be advantageous for small
container diameters.
• The Gammapilot M close to the tank (detector A) partially screens the Gammapilot M facing away from
the tank (detector B). This must be taken into consideration when planning the activity of the source.
The following table provides approximate information on the absorption:

Percentage pulse rate available at detector B

Source Detector without water cooling Detector with water cooling

137
Cs approx. 60 % approx. 36 %
60
Co approx. 70 % approx. 48 %

Where necessary, the absorption can be partially compensated if 200 mm is used as the measuring
length for detector A and 400 mm for detector B.

– Installation with 2oo3 voting in preferred arrangement:

Note!
The position of the upper detector determines the most unfavorable switch point.

Operation

! Note!
The term calibration, which is often used in the context of radiometric measuring systems, refers to the
calibration process of the measuring point installed in the system. The measuring point comprises a detector, a
radiation source and, if necessary, a modulator.

Calibrating the measuring point

Once the basic settings (mode of operation, measurement method, date, type of radiation, source of radiation,
output damping) have been made, the actual calibration is performed.
To ensure that the Gammapilot M can compensate correctly for background radiation, the background
calibration must always be performed first. This is followed by empty and full calibration, in no particular order.

! Note!
Once calibration has been completed, the Gammapilot M is operational and can be used in non-safety-related
applications.
For use in safety-related applications, the device must be locked in order to activate the safety functions
(see "Method for device parameterization" → ä 14).

Endress+Hauser 13
 Gammapilot M

Method for device parameterization

The device can be operated using the display FHX40, HART Communicator DXR375 or FieldCare©.
To configure the operating parameters and to operate the Gammapilot M, please proceed in accordance with
the Operating Instructions BA236F/00 and the description of the device functions for level limit detection
BA287F/00.
During calibration, a log must be kept to document the configuration values (see "Appendix" → ä 18).

" Caution!
Following calibration, the Gammapilot M must be locked in order to activate the safety functions.
The Gammapilot M may be operated in safety-related applications only when it is in locked mode.

Locking procedure:
Step Description Parameter
displayed

1 For this, please select the function "Safety locking (S22)" in the function group "Safety
settings (S2)".
Once the selection has been confirmed, an output current of ≤ 3 mA is output immediately.

2 Enter individual 4-digit password.

3 Confirmation of output current ≤ 3.0 mA [Iout ≤ 3 mA]

Verification of output current using measurement

4 The following character string appears

0 1 2 3 4 5 6 7 8 9 . -
This character string is used to test the transmission of data to the operator device.
If the display is not correct, there is an error in the FMG60 or in the operator device.

Compare calibration values and configuration values with the calibration log and confirm
individually:

5 Background pulse rate [Backg: _ _ _ cps]

6 "Full" calibration point [Full: _ _ _ cps]

"Empty" calibration point [Empty: _ _ _ cps]

7 Isotope (137Cs or 60Co) [Source: _ _ _ ]

Beam type (standard or modulated) [Beam: _ _ _ ]

8 Time response (default value 10 s if "modulated" beam type was selected) [GammaHld: _ _ _ s]
Output damping [Integr.: _ _ _ s]

9 Current date [Pres.: _ _ _ ]

Calibration date [Calib: _ _ _ ]

10 Detector length (measurement length in mm) [ _ _ _ mm]

11 Once the calibration values have been checked, the password must be confirmed once [____]
again to complete the safety-related locking procedure.
Once it has been successfully locked, the device switches to measuring mode after a
diagnosis phase.

12 A test must then be carried out to verify whether the FMG60 is actually locked.
This is done by monitoring the output current. Following an interval of approx. 2 minutes,
the current increases by approx. 1.6 mA for 15 seconds (see also Chapter
"Safety function" Section "Electronic partial stroke test"). This signal change indicates
that the Gammapilot M is locked.
If there is no signal change, there was an error in the transmission of data for the
confirmation. In this case, the operator device should be replaced and the locking
procedure repeated.

" Caution!
If one of the parameters displayed does not correspond to the values logged during calibration, or if the
character string (step 4) is not displayed correctly, this parameter must be registered as not valid. The
Gammapilot M then automatically cancels the locking procedure. The status of the Gammapilot M is then
"unlocked".
Calibration can then be repeated.
If this is not successful, the device must not be used for safety-related applications.

14 Endress+Hauser
Gammapilot M

Behavior of current output during locking sequence:

At the start of the locking sequence, the detector outputs the error current ≤ 3.0 mA and remains at this value
until the sequence has been run through completely and the safety-related locking procedure has been
completed by confirming the password.
The output current value must be measured during the locking procedure and confirmed in the operating
menu. The current must be measured with a accuracy of ± 0.1 mA.
Following the correct locking procedure, the present current value (4 to 20 mA) is available at the output.
Following the correct locking procedure, the Gammapilot M executes all internal diagnosis tests. During this
time, (max. 60 s), the current output is at error current ≤ 3.6 mA.
Following completion of the diagnosis phase, the present current value (4 to 20 mA) is available at the output.
If a device error is detected during diagnosis, the current signal remains in a fault state ≤ 3.6 mA.

! Note!
• The lock is not cancelled if the power supply is switched off or if it fails.
• After it is locked, the detector cannot be reset using the Reset (333) function.
• If you have forgotten the password, please contact Endress+Hauser Service.

List of configuration parameters which must be confirmed

The following parameters can be configured by the user and must therefore be confirmed during the locking
procedure:

1. Background pulse rate (cps)

2. "Empty" calibration point (cps)

3. "Full" calibration point (cps)

4. Isotope (Cs or Co)

5. Beam type (standard or modulated)

6. (Gammagraphy) hold time (default value "10" for "modulated" beam type)

7. Output damping

8. Current date

9. Calibration date

List of preconfigured parameters

The following parameters cannot be freely defined by the user.
The Gammapilot M configures them to the following initial settings by executing the locking function:

1. Full = 100 % → 20 mA

2. Empty = 0 % → 4 mA

3. Output in case of alarm = 22 mA

4. Gammagraphy detection = ON

5. (Gammagraphy) Span time = 0 seconds (no dynamic monitoring)

6. Output for gammagraphy = 3.8 mA

7. Gammagraphy sensitivity = 9 (Beam type "standard"); 20 (Beam type "modulated")

8. Low output limit = OFF

9. Current output mode = standard

10. Communication address = 0

11. Service parameters = Preset values

12. Simulation = OFF

13. Release code = SIL locked

Endress+Hauser 15
 Gammapilot M

! Note!
• If the supply voltage for the Gammapilot M fails during the locking or unlocking procedure or during the
locking sequence, an alarm or warning is not output when the supply voltage is reapplied. For safety reasons,
however, the current output is set to error current ≤ 3.6 mA and held.
• To restart, the "safety locking (S22)" function has to be selected in the "safety settings (S2)" function group
and security locking has to be performed.

Configuration of switch point and hysteresis

The Gammapilot M converts the pulse rate linearly into the output current.
This requires configuration of switch point and hysteresis in the evaluation unit located downstream.
The following switch points must be configured in the evaluation unit:
1. 16 mA → Transition from "empty" to "full"
2. 8 mA → Transition from "full" to "empty"
Level

100%

0%

4 8 16 20 Current [mA]
SD230en13

Hysteresis to be configured in the control unit

Maintenance, recalibration Instructions for maintenance and recalibration can be found in the Operating Instructions BA236F/00.
During parameterization and maintenance work on the Gammapilot M, alternative monitoring measures must
be taken to ensure process safety.

" Caution!
The Gammapilot M must be recalibrated in the following circumstances:
If, following calibration of the measuring point, changes to the system are made in the immediate vicinity of
the measuring point which may affect the measuring signal due to scattering, or if changes are made to the
measuring point itself which alter the radiation conditions.
A check can be carried out by verifying the pulse rate with a free radiation path and comparing it to the
calibration record → ä 23.

16 Endress+Hauser
Gammapilot M

Proof-test
Safety functions must be tested at appropriate intervals to ensure that they are functioning correctly and are
safe.
The time intervals must be defined by the operator.
For this, refer to fig.: "Interval between recurrent tests" → ä 8 (single-channel usage) or
→ ä 19 (multichannel usage) for the Gammapilot M.

Proof-testing of the Gammapilot M must be carried out in accordance with the following procedure.
If several detectors are used in MooN votings, the proof-test described here must be performed separately for
each detector.
In addition, checks must be carried out to ensure that all cover seals and cable entries are sealing correctly.

Testing of internal clock

The device must display the correct date. If the date is out by more than one day, it must be corrected to ensure
correct decay compensation.
Please see also the note in the Section "Behavior of device when switched on" → ä 9.

Testing of Gammapilot M to ensure its safe functioning

During safety testing of the Gammapilot M, the radiation path of the measuring point must be clear.
For testing, the source of radiation is switched off. As a result, the output current changes from 4 mA to
20 mA. In a second step, the source is switched back on, and the current then changes from 20 mA to 4 mA.
This must be checked by measuring the current using a calibrated measuring device with a accuracy of
± 0.1 mA. If the average value of the current deviates by more than 0.2 mA from the set point, the measuring
point must be recalibrated and this test must be repeated.

" Caution!
If recalibration and testing are not successful, the device must no longer be used as a safety device.
Please contact Endress+Hauser Service.

This test detects approx. 98 % of all possible dangerous undetected device failures.

! Note!
Please see also the Section "Maintenance, recalibration" → ä 16.

Repair
All repairs to the Gammapilot M must be carried out by Endress+Hauser.

In the event of failure of a SIL-labeled Endress+Hauser device, which has been operated in a safety function,
the "Declaration of Contamination and Cleaning" with the corresponding note "Used as SIL device in protection
system" must be enclosed when the defective device is returned
Please note the Operating Instructions BA236F/00, Section "Return" with regard to this.

If the Gammapilot M is equipped with new software, a reset must be carried out following download, and the
device must be tested to ensure that it is functioning correctly and also recalibrated.

Endress+Hauser 17
 Gammapilot M

Appendix
Functional safety parameters Functional safety parameters for 1oo2 and 2oo3 votings to SIL 3
(SIL 3)

The following parameters were required for all safety-specific information for MooN votings:
– Proof Test Coverage >95 %
– MTTR = 8 h
– Low Demand Mode
The "SILver" tool (version 1.3, from exida.com) was used to calculate the values for PFDavg.

In the following wiring schemes, Endress+Hauser barrier RB223 was included, taking into account the
following information:

Device output version: "Ex → Non-Ex"

PFDavg 1.31 × 10-5

λdu 0.3 FIT

SFF 99.6 %

HFT 0

Further information on this device is provided in the related Functional Safety Manual SD011R.

18 Endress+Hauser
Gammapilot M

1oo2 voting

1oo2
Logic
unit

SIL 3

HFT 1

SFF 96 %

MTTR 8h

β=5% β = 10 %
-5
PFDavg for T1 = 1 year 3.6 × 10 7.1 × 10-5
PFDavg for T1 = 5 years 1.2 × 10-4 2.3 × 10-4

1oo2

2,50E-04

2,00E-04

1,50E-04
PFDavg

1,00E-04

5,00E-05

0,00E+00
1 2 3 4 5
Proof-test interval (years)

PFDavg (ß = 5 %) PFDavg (ß = 10 %)
SD230en15

Proof-test interval

Endress+Hauser 19
 Gammapilot M

1oo2 voting

RB223

1oo2
Logic
unit
RB223

Wiring scheme with barrier RB223

SIL 3

HFT 1

SFF 96 %

MTTR 8h

β=5% β = 10 %

PFDavg for T1 = 1 year 3.6 × 10-5 7.1 × 10-5

PFDavg for T1 = 5 years 1.2 × 10-4 2.3 × 10-4

1oo2

2,50E-04

2,00E-04

1,50E-04
PFDavg

1,00E-04

5,00E-05

0,00E+00
1 2 3 4 5
Proof-test interval (years)

PFDavg (ß = 5 %) PFDavg (ß = 10 %)
SD230en15

Proof-test interval

20 Endress+Hauser
Gammapilot M

2oo3 voting

2oo3
Logic
unit

SIL 3
HFT 1

SFF 96 %

MTTR 8h

β=5% β = 10 %

PFDavg for T1 = 1 year 3.8 × 10-5 7.2 × 10-5

PFDavg for T1 = 5 years 1.4 × 10-4 2.4 × 10-4

2oo3

3,00E-04

2,50E-04

2,00E-04

1,50E-04
PFDavg

1,00E-04

5,00E-05

0,00E+00
1 2 3 4 5
Proof-test interval (years)

PFDavg (ß = 5 %) PFDavg (ß = 10 %)
SD230en18

Proof-test interval

Endress+Hauser 21
 Gammapilot M

2oo3 voting

RB223

2oo3
Logic
RB223 unit

RB223

Wiring scheme with barrier RB223

SIL 3

HFT 1

SFF 96 %

MTTR 8h

β=5% β = 10 %
-5
PFDavg for T1 = 1 year 3.8 × 10 7.2 × 10-5
PFDavg for T1 = 5 years 1.4 × 10-4 2.4 × 10-4

2oo3

3,00E-04

2,50E-04

2,00E-04

1,50E-04
PFDavg

1,00E-04

5,00E-05

0,00E+00
1 2 3 4 5
Proof-test interval (years)

PFDavg (ß = 5 %) PFDavg (ß = 10 %)
SD230en18

Proof-test interval

22 Endress+Hauser
Gammapilot M

Calibration Record

Calibration Record

Company: ___________________________________________

Measuring Point: ___________________________________________

Facility: ___________________________________________

Device Type: FMG60 - ___________________________________

Serial Number: ___________________________________________

Name: ___________________________________________

Date: ___________________________________________

Password: ___________________
(It is recommended to treat the calibration record as confidential after entering the password)

Signature: ___________________________________________

Settings and Configuration Parameters of the FMG60

1. Background pulse rate: ___________ cps

2. Calibration point "empty": ___________ cps

3. Calibration point "full": ___________ cps

137 60
4. Isotope: Cs Co

5. Beam type: standard modulated

6. Gammagraphy hold time: _____ seconds (beam type "modulated": default = 10)

7. Integration time: _____ seconds

8. Present date: ____ . ____ . ________

(Day) (Month) (Year)

9. Calibration date: ____ . ____ . ________

(Day) (Month) (Year)

10. Detector length (Measuring length): _______ (mm)

Abgleichprotokoll-en

Endress+Hauser 23
24
Management summary
This report summarizes the results of the hardware assessment carried out on the radiometric
measurement transmitter for non-invasive limit detection Gammapilot M FMG60 with 4..20 mA
output and software version V01.02.001.
The hardware assessment consists of a Failure Modes, Effects and Diagnostics Analysis
(FMEDA). A FMEDA is one of the steps taken to achieve functional safety assessment of a
device per IEC 61508. From the FMEDA, failure rates are determined and consequently the
Safe Failure Fraction (SFF) is calculated for the device. For full assessment purposes all
requirements of IEC 61508 must be considered.
For safety applications only the 4..20 mA output of the Ex-i and Ex-e / Ex-d variants was
considered. All other possible communication electronics are not covered by this report.
Failure Modes, Effects and Diagnostic Analysis The failure rates used in this analysis are the basic failure rates from the Siemens standard
SN 29500.
According to table 2 of IEC 61508-1 the average PFD for systems operating in low demand
Project: mode has to be t10-3 to < 10-2 for SIL 2 safety functions. A generally accepted distribution of the
PFDAVG value of a SIF over the sensor part, logic solver part, and final element part assumes
Gammapilot M FMG60 that 35% of the total SIF PFDAVG value is caused by the sensor part.
Radiometric measurement transmitter for non-invasive limit detection For a SIL 2 application operating in low demand mode the total PFDAVG value of the SIF should
Applications with level limit detection (MAX detection) be smaller than 1,00E-02, hence the maximum allowable PFDAVG value for the sensor part
would then be ” 3,50E-03.
The radiometric measurement transmitter for non-invasive limit detection Gammapilot M FMG60
Customer: is considered to be a Type B2 component with a hardware fault tolerance of 0.
For Type B components with a hardware fault tolerance of 0 the SFF shall be > 90% according
Endress+Hauser GmbH+Co. KG to table 3 of IEC 61508-2 for SIL 2 (sub-) systems.
Management summary

Maulburg Endress+Hauser together with exida performed a quantitative analysis of the mechanical parts
Germany of the radiometric measurement transmitter for non-invasive limit detection Gammapilot M
FMG60 (see [D34]). This analysis was also used by exida to calculate the failure rates of the
sensor assembly using exida’s experienced-based data compilation for the different
components of the sensor element (see [D36]). The results of the quantitative analysis were
Contract No.: E+H 03/03-22 used for the calculations described in sections 5.2 and 5.3.
Report No.: E+H 03/03-22 R040 The following failure rates do not include failures resulting from incorrect use of the transmitter,
Version V1, Revision R1, January 2007 in particular humidity entering through incompletely closed housings or inadequate cable
feeding through the PG inlets.
Stephan Aschenbrenner
The listed failure rates are valid for operating stress conditions typical of an industrial field
environment similar to IEC 60654-1 class C (sheltered location) with an average temperature
over a long period of time of 40ºC. For a higher average temperature of 50°C, the failure rates
should be multiplied with an experience based factor of 1,3. A similar multiplier should be used
if frequent temperature fluctuation must be assumed.
It is assumed that the connected logic solver is configured as per the NAMUR NE43 signal
ranges, i.e., Gammapilot M FMG60 with 4..20 mA output communicates detected faults by an
alarm output current ” 3,6mA or • 21mA. For this configuration the following tables show how
the above stated requirements are fulfilled.

1
This software version is the future release which will cover the assumptions and requirements made in this report.
2
Type B component: “Complex” component (using micro controllers or programmable logic); for details see
7.4.3.1.3 of IEC 61508-2.
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document. © exida.com GmbH e+h 03-03-22 r040 v1 r1.doc, January 17, 2007
© All rights on the format of this technical report reserved. Stephan Aschenbrenner Page 2 of 4

Endress+Hauser
Gammapilot M
 Gammapilot M

Endress+Hauser
3
Table 1: Summary (worst case version) – Failure rates A user of the radiometric measurement transmitter for non-invasive limit detection Gammapilot
M FMG60 can utilize these failure rates in a probabilistic model of a safety instrumented
Failure category Failure rates (in FIT) function (SIF) to determine suitability in part for safety instrumented system (SIS) usage in a
particular safety integrity level (SIL). A full table of failure rates is presented in sections 5.2 and
Fail Safe Detected 577 5.3 along with all assumptions.
Fail Safe Undetected 94 It is important to realize that the “no effect” failures are included in the “safe undetected” failure
Fail Dangerous Detected 1316 category according to IEC 61508, Edition 2000. Note that these failures on its own will not affect
4 system reliability or safety, and should not be included in spurious trip calculations.
Fail Detected (internal diagnostics or indirectly ) 987
Fail High (detectable by the logic solver) 3 The failure rates are valid for the useful lifetime of Gammapilot M FMG60 (see Appendix 3).
Fail Low (detectable by the logic solver) 160
Annunciation Detected 166
Fail Dangerous Undetected 92
Fail Dangerous Undetected 53
Annunciation Undetected5 39
No Effect 561
Not part 618
Total 3258

Table 2 Summary (worst case version) – Failure rates according to IEC 61508

OSD OSU 6 ODD ODU SFF DCS 7 DCD 7

577 FIT 655 FIT 1316 FIT 92 FIT 96% 46% 93%

Table 3: Summary (worst case version) – PFDAVG values

T[Proof] = 1 year T[Proof] = 5 years T[Proof] = 10 years

PFDAVG = 4,04E-04 PFDAVG = 2,02E-03 PFDAVG = 4,03E-03

The boxes marked in yellow ( ) mean that the calculated PFDAVG values are within the
allowed range for SIL 2 according to table 2 of IEC 61508-1 but do not fulfill the requirement to
not claim more than 35% of this range, i.e. to be better than or equal to 3,50E-03. The boxes
marked in green ( ) mean that the calculated PFDAVG values are within the allowed range for
SIL 2 according to table 2 of IEC 61508-1 and do fulfill the requirement to not claim more than
35% of this range, i.e. to be better than or equal to 3,50E-03.
Because the Safe Failure Fraction (SFF) is above 90%, also the architectural constraints
requirements for SIL 2 of table 3 of IEC 61508-2 for Type B subsystems with a Hardware Fault
Tolerance (HFT) of 0 are fulfilled.

3
It is assumed that practical fault insertion tests can demonstrate the correctness of the failure effects assumed
during the FMEDAs.
4
“indirectly” means that these failure are not necessarily detected by diagnostics but lead to either fail low or fail high
failures depending on the transmitter setting and are therefore detectable.
5
As a worst-case consideration these failures are treated as dangerous failures. A fault tree or Markov model would
show that the real contribution of the “diagnostic channel” to the overall probability of failure on demand is much
lower.
6
Note that the SU category includes failures that do not cause a spurious trip
7
DC means the diagnostic coverage (safe or dangerous).

© exida.com GmbH e+h 03-03-22 r040 v1 r1.doc, January 17, 2007 © exida.com GmbH e+h 03-03-22 r040 v1 r1.doc, January 17, 2007
Stephan Aschenbrenner Page 3 of 4 Stephan Aschenbrenner Page 4 of 4

25
 Gammapilot M

Certificate

Certificate_No 968_EL425_03_07

26 Endress+Hauser
Gammapilot M

Endress+Hauser 27
Instruments International

Endress+Hauser
Instruments International AG
Kaegenstrasse 2
4153 Reinach
Switzerland

Tel. +41 61 715 81 00

Fax +41 61 715 25 00
www.endress.com
info@ii.endress.com

SD230F/00/en/10.07
71041846
FM+SGML 6.0 ProMoDo 71041846