OPTIMASS 6400 Supplementary Instructions

Coriolis mass flowmeter

Safety manual

© KROHNE 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 CONTENTS OPTIMASS 6400

1 Introduction 4

1.1 Scope of the document..................................................................................................... 4

1.2 Revision history ................................................................................................................ 4
1.3 Device description ............................................................................................................ 4
1.4 Declaration ....................................................................................................................... 5
1.5 Device safety characteristics ........................................................................................... 6
1.6 Permitted device variants ................................................................................................ 8
1.6.1 Signal converter ...................................................................................................................... 8
1.6.2 Flow sensor............................................................................................................................. 9
1.7 Related documentation .................................................................................................... 9
1.8 Terms and definitions..................................................................................................... 10

2 Specification of the safety function 11

2.1 Safety function ................................................................................................................ 11

2.1.1 Definition ............................................................................................................................... 11
2.1.2 Process response time ......................................................................................................... 11
2.1.3 Failure detection and fault response time ........................................................................... 11
2.1.4 Measurement uncertainties ................................................................................................. 11
2.2 Safety application conditions (SAC)................................................................................ 11
2.2.1 General.................................................................................................................................. 11
2.2.2 Installation ............................................................................................................................ 12
2.2.3 Operation............................................................................................................................... 12
2.3 Operation modes ............................................................................................................ 13
2.3.1 Safe operation ....................................................................................................................... 13
2.3.2 Non-SIL operation................................................................................................................. 13

3 Operation 14

3.1 Condition of use .............................................................................................................. 14

3.2 Device configuration for usage in safety application..................................................... 14
3.2.1 Change of operation mode.................................................................................................... 14
3.2.2 Switch to safe operation ....................................................................................................... 15
3.2.3 Switch to non-SIL operation ................................................................................................. 15
3.2.4 Safe configuration ................................................................................................................. 16
3.2.5 Safe parameter verification .................................................................................................. 17
3.2.6 Confirmation ......................................................................................................................... 18
3.3 Safe current output states ............................................................................................. 19
3.4 Error conditions.............................................................................................................. 20
3.5 Homogeneous redundancy............................................................................................. 22
3.5.1 How to set up a system with homogeneous redundancy..................................................... 22
3.5.2 How to calculate the effect of common cause failures........................................................ 23

2 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 CONTENTS

4 Service 24

4.1 Maintenance ................................................................................................................... 24

4.2 Availability of services .................................................................................................... 24
4.3 Proof test ........................................................................................................................ 24
4.4 Calibration procedure .................................................................................................... 25
4.5 Troubleshooting.............................................................................................................. 25
4.6 Support for IEC 61508 approved devices ....................................................................... 25

5 Notes 26

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 3

1 INTRODUCTION OPTIMASS 6400

1.1 Scope of the document

This document supplies functional safety data and instructions for OPTIMASS 6400 devices.

INFORMATION!
The data in this supplement provides additional information for using the device in safety
applications.
The technical data in the handbook (document [1], [2] shall be valid, provided that it is not
rendered invalid or replaced by this supplement. If necessary, parts of document [1] are
referenced herein.

INFORMATION!
Installation, commissioning and maintenance may only be carried out by properly trained and
authorised personnel.

1.2 Revision history

Document Release Flow sensor Electronic revision

revision date
R01 07/2016 OPTIMASS 6000, sizes DN08...100 ER 2.0.0_
R02 12/2016 OPTIMASS 6000, sizes DN08...100 ER 2.0.1_ - ER 2.0.4_
R03 03/2020 OPTIMASS 6000, sizes DN08...100 ER 2.1.xx
R04 05/2020 OPTIMASS 6000, sizes DN08...200 ER 2.1.xx
R05 09/2021 OPTIMASS 6000, sizes DN08...200 ER 2.1.xx
Table 1-1: Revision history

1.3 Device description

The OPTIMASS 6400 is a series of Coriolis mass flowmeter measuring mass flow rate, total
mass, density, temperature, volume flow rate, flow velocity, total volume and concentration of
liquids and gases.

The device can be used in safety applications measuring mass flow rate, volume flow or density
of liquids using the safe current output at terminal C. The safe current output is available as
intrinsically safe and non-intrinsically safe variant according to IEC 60079-11.

4 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 INTRODUCTION 1

1.4 Declaration

Figure 1-1: Declaration of conformity

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 5

1 INTRODUCTION OPTIMASS 6400

1.5 Device safety characteristics

This data applies for devices switched to "Safe Operation" (for further information refer to Safe
operation on page 13). For more data about device characteristics and performance, refer to
"Technical data" in the handbook [1] [2].

General
Device designation and OPTIMASS with flow sensors and electronics MFC 400 (according to following
permissible types section)
Safety-related output signal 4 to 20 mA (terminal C)
Safety function Put out a correct mass flow or volume flow or density measurement on safe current
output (4 to 20 mA) with a safety tolerance of ±2% within the process response time
of the device.
Device type acc. to IEC 61508-2 Type A Type B

Operating mode Low Demand Mode High Demand Continuous Mode

Mode
Valid hardware version and ER 2.1.x_
software version
Safety Manual 4004960805 - R05
Type of evaluation Complete HW/SW assessment in the context of development including
FMEDA and change process according to IEC 61508-2, 3
Evaluation of "prior use" performance for HW/SW including FMEDA and
change request according to IEC 61508-2, -3
Evaluation of HW/SW field data to verify "prior use" according to IEC 61511

Evaluation by FMEDA according to IEC 61508-2 for devices w/o software

Evaluation through – report no. TUEV Rheinland Industrie Service GmbH – Certificate No. 968/FSP 1048.06/21
Test documents Development documents, test reports, data sheets
Table 1-2: Safety-related characteristics - General

SIL - Integrity
Systematic safety integrity SIL 2 capable SIL 3 capable

Hardware safety integrity Single channel use (HFT = 0) SIL 2 capable SIL 3 capable

Multi channel use (HFT = 1) SIL 2 capable SIL 3 capable

Table 1-3: Safety-related characteristics - SIL - Integrity

6 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 INTRODUCTION 1

FMEDA 1
SD 0.1 FIT
SU 800.9 FIT
DD 1750.2 FIT
DU 89.9 FIT
SFF 96.59 %
PFDavg(TProof= 1 year) 3.9E-04
PFDavg(TProof= 3 years) 1.2E-03
PFDavg(TProof= 5 years) 2.0E-03
PFH 8.99E-08 1/h
PTC Up to 97 %
MTBF (safety function) 43.2 years
Diagnostic Test Interval 2 1 min.
Fault Reaction Time 1s
Table 1-4: Safety-related characteristics - FMEDA

1 Based on failure types specified in Siemens SN29500. Soft errors are taken into account.
The values are valid for an averaged ambient temperature up to 40°C / 104°F
2 All diagnostic functions are carried out at least once during this time.

Useful lifetime of electrical components

The established failure rates of electronic components apply within the useful lifetime according
to IEC 61508-2, section 7.4.9.5 note 3.

The useful lifetime can only be extended under responsibility of the plant operator regarding
special operation conditions and the employment of suitable intervals for testing and
maintenance.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 7

1 INTRODUCTION OPTIMASS 6400

1.6 Permitted device variants

The permitted device variants for functional safety are defined by the signal converter variant
(for details refer to Signal converter on page 8), the flow sensor variant (for details refer to Flow
sensor on page 9) and the device versions defined by the electronic revision (for details refer to
Revision history on page 4). Unless otherwise specified, all subsequent versions can also be
used for safety functions.

1.6.1 Signal converter

The signal converter variant is identified by the CG number shown on the device nameplate.

The next figure describes the format of the CG number.

Figure 1-2: Code (CG number) of the signal converter variant

The following table shows the permitted signal converter variants for functional safety:

Code Description Applicable options for functional safe devices

1 Measurement principle 3
2 Production related any
3 Power supply 1,8
4 Display 1
5 I/O variant 2, 3, 4
6, 7 optional modules for connection any
terminal A and B
Table 1-5: Permitted converter variants for functional safety

Details of the CG number decoding are provided in the handbook [2].

8 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 INTRODUCTION 1

1.6.2 Flow sensor

The model and its options are identified by the V-type code on the device nameplate.
The type code is a series of alphanumeric characters (0...9 and A...Z).

Refer to the next table to find which positions in the V-type code are related to functional safety.
The positions are marked by the letter "x".

Code VE ab c d e fg h j k l m n p q r s t u v w

Position 1-2 3-4 5 6 7 8-9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Functional x x x x x x x
safety
relevant
Table 1-6: Description of V type code

The next table shows all codes of the permitted flow sensor variants which have constraints

Code Description Valid flow sensor codes for SIL device variant
ab Flow sensor type and size 71, 72, 73, 74, 75, 76, 77, 78 or 79
j Design 0, K
q Process requirements 0, 1
r Extended options 0
s Customer specific 0
t Signal converter type 6, 7
Table 1-7: Permitted flow sensor variants for functional safety

1.7 Related documentation

[1] OPTIMASS 6000 Handbook

[2] MFC 400 Handbook
[3] IEC 61508-1 to 7:2010 Functional safety of electrical / electronic / programmable electronic
safety-related systems
[4] Corrosion & Abrasion Guidelines for Coriolis Meter, OPTIMASS Corrosion
[5] NAMUR, NE43: Standardization of the Signal Level for the Failure, 2003.
[6] NAMUR, NE107: Requirements to Self-Monitoring and Diagnosis of Field Devices
Table 1-8: Related documentation

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 9

1 INTRODUCTION OPTIMASS 6400

1.8 Terms and definitions

Term Description
Firmware Software embedded in the device
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Modes, Effects and Diagnostics Analysis
FRT Fault Response Time (diagnostic test interval + Fault Reaction Time).
This is the maximum time that is necessary for the current output to change to a
safe value when the safety function has an error condition.
HFT Hardware Fault Tolerance
High demand or Where the frequency of demands for operation made on a safety-related system is
continuous mode greater than one time per year.
I/O Input / output
DD Rate for dangerous detected failure
DU Rate for dangerous undetected failure
SD Rate for safe detected failure
SU Rate for safe undetected failure
Low demand mode Where the frequency of demands for operation made on a safety-related system is
not greater than one time per year.
MTBF Mean Time Between Failures
PFDAVG Average Probability of Failure on Demand
PFH Probability of a dangerous Failure per Hour
PLC Programmable logic controller
PTC Proof Test Coverage
Process safety Time starting when something fails and ending when the "undesired event" can no
time longer be prevented.
SAC Safety Application Condition. Conditions that must be adhered to when you use a
safety-related system or a safety-related sub-system.
SFF Safe Failure Fraction
SIL Safety Integrity Level
SIS Safety Instrumented Systems
Systematic Measure (given as a scale of SC 1 to SC 3) of the confidence that the systematic
Capability safety integrity of an element complies to the conditions of the specified SIL (related
to the safety function of an element), when the element is applied in accordance
with the instructions.
Type A system "Non-complex" system (all failure modes are well defined). For more data, refer to
subsection 7.4.3.1.2 of IEC 61508-2.
Type B system "Complex" system (not all failure modes are well defined). For more data, refer to
subsection 7.4.3.1.2 of IEC 61508-2.
TProof Proof Test Interval
Table 1-9: Terms and definitions

10 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 SPECIFICATION OF THE SAFETY FUNCTION 2

2.1 Safety function

2.1.1 Definition
The device has a safety function that complies to International Standard IEC 61508 [3].
Definition of the safety function: Put out a correct mass flow or volume flow or density measurement on
safe current output (4 to 20 mA) with a tolerance of ±2% within the process response time of the device (for
further information refer to Process response time on page 11).
The device has a safety tolerance of 2% of the present measurement value or present output current
(whichever is greater).

2.1.2 Process response time

The process response time is defined as the T90 for a response to a step change between
process input and safe current output. It depends on the configured time constant of the
damping in the safe current output (C7.1.16):

Damping [s] 0 1 2 5 10 20 50 100

T90 [s] 0.90 2.38 4.16 9.58 18.63 36.75 91.12 181.74
Table 2-1: Process response time

2.1.3 Failure detection and fault response time

If the device detects a failure, then it changes the current output to the low or high failure
current value in an interval equal to or less than the fault response time.
The maximum fault response time is 61 seconds.

2.1.4 Measurement uncertainties

The device measures with the same uncertainty in both operation modes of operation (non-SIL mode and
SIL mode) if the device is undamaged.

The safety tolerance is the tolerable error before setting the safe state of the device.
A random fault can cause an error of up to 2% of the present measurement value or output current before it
is signalled.

2.2 Safety application conditions (SAC)

The handbook (document [1] [2]) gives instructions to correctly install the device and connect it
to an electrical circuit.

WARNING!
The safety application conditions and instructions must be followed if the device is used in a
safety related system.

2.2.1 General
• The operator must carefully select the correct tube diameter with respect to the expected flow rates.
• If the device is used in high demand mode of operation, the process safety time must be more than the
fault response time.
This minimum time agrees with International Standard IEC 61508 Part 2 ( [3], section 7.4.4.1.4).

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 11

2 SPECIFICATION OF THE SAFETY FUNCTION OPTIMASS 6400

2.2.2 Installation
• In case of a remote device variant, the serial number of the signal converter and flow sensor
must match.
• The current output at terminal C is the safety relevant output for safe operation.
• The operator must ensure that the wetted material is compatible with process product.
• Correctly sized cables for the cable glands must be used and the cable glands and the lid
must be tightened sufficiently. Furthermore, the device (lid, cable glands) must not be
opened during safe operation.
• If the safe current output is used in passive configuration an overvoltage at the terminal can
lead to loss of the safety function of the device. It is recommended to use a power supply with
voltage limitation or voltage monitoring.
• The device must not be operated above 2000 m / 6561 ft above sea level.

2.2.3 Operation
• The device must not be exposed to strong magnetic fields during operation.
• The device must not be exposed to excessive vibration during operation.
• The sensor tube must be filled completely by the process liquid.
• Ensure that entrained gas, cavitation, or two-phase flows do not occur in the flowmeter.
• The ambient temperature must not exceed the device limits.
• Corrosive products must be excluded according to [4].
• Erosive products must be excluded.
• Coating inside the sensor tube must be avoided.
• The process temperature must not exceed the limits of the flow sensor variant.
• In order to execute the safety function the device must be switched to safe operation
(for further information refer to Switch to safe operation on page 15).
• The device must be operated in the mass flow range 5...130% of nominal flow range.

INFORMATION!
HART®communication:
The measuring device can also communicate via HART® in safe operation state.

INFORMATION!
Bluetooth®communication:
The measuring device can also communicate via the wireless Bluetooth® interface in safe
operation state.
Security mechanisms have been implemented to avoid any impact on the safe operation via the
wireless interface.
Write access to safety-related parameters is blocked via the Bluetooth® interface, even though
the Bluetooth® access level is set to "Read + Write". Additionally, the configuration of the device
for usage in safety applications is not supported via the Bluetooth® interface.

12 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 SPECIFICATION OF THE SAFETY FUNCTION 2

2.3 Operation modes

2.3.1 Safe operation
The device performs the safety function in safe operation. If it detects a failure, it will send a
failure current signal. The device continues to be functionally safe and the safety-related data
(e.g. hazard rate, FRT etc.) continues to be applicable.

Devices in safe operation mode have these operational restrictions:

• HART®multidrop mode is not available.

• The device cannot simulate measurement values at the output terminals.

2.3.2 Non-SIL operation

The device operates in non-SIL operation without any restriction to configuration or functionality.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 13

3 OPERATION OPTIMASS 6400

3.1 Condition of use

The device must be a SIL variant to operate in SIL mode to perform the safety function.

INFORMATION!
Only properly trained and authorised personnel shall change device settings. Keep a report of
changes to the device settings. These reports must include the date, the menu item, the old
setting and the new setting.

The configuration is protected by a password. For more data on password protection and device
configuration refer to Switch to non-SIL operation on page 15.

3.2 Device configuration for usage in safety application

Safety relevant parameters are write-locked and cannot be changed during safe operation.
Parameters which are not safety relevant can be changed in safe operation.

3.2.1 Change of operation mode

Set safety mode Verify safe

 to SIL mode   parameters and 
confirm
Non-SIL Safe Safe operation
operation configuration
 Set safety mode   Unlock device 
to non-SIL mode
and confirm

State Icon 1 Description Safe current output

Non-SIL operation - Device can be used in non-SIL Measurement signal or
application and all failure signal
parameters can be changed.
Safe configuration Device can be configured for Failure signal
safe operation or device can
be switched to non-SIL mode.
Safe operation Device performs the safe Measurement signal or
measurement according to its failure signal
configuration and all safety
relevant parameters are
locked.
Table 3-1: Description of safety states

1 Icon shown at the local display or DTM.

14 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 OPERATION 3

3.2.2 Switch to safe operation

WARNING!
The device cannot be switched to safe configuration or safe operation if a lock jumper is present
at the local display.

In order to switch the device from non-SIL operation to safe operation several steps have to be
performed.

• Switch the device to safe configuration state by setting safety mode to "SIL Mode" (for further
information refer to Safe parameter verification on page 17).
• Configure the device for safe operation (for further information refer to Safe configuration on
page 16).
• Perform safe parameter verification (for further information refer to Safe parameter
verification on page 17).
• Perform confirmation (for further information refer to Confirmation on page 18).

Safety relevant parameters cannot be changed in safe operation.

INFORMATION!
Change your unlock password (menu C7.5) before switching the device to safe operation to avoid
unauthorised access.

3.2.3 Switch to non-SIL operation

In order to switch the device from safe operation to non-SIL operation several steps have to be
performed.

• Unlock the device (menu C7.4) by entering the configurable unlock password (menu C7.5).
Default unlock password: 9999
• Change of safety mode to "Non-SIL Mode" (for further information refer to Safe parameter
verification on page 17).
• Perform confirmation (for further information refer to Confirmation on page 18).

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 15

3 OPERATION OPTIMASS 6400

3.2.4 Safe configuration

In safe configuration state some parameters are reset to their factory value and locked because
they have direct impact on the safety function of the device.
The following parameters are reset to factory configuration and cannot be changed in safe
configuration or safe operation:

Parameter Menu reference Value

Current Span C2.4.6 4-20 mA
Polarity C2.4.5 Both
4mA Trimming C2.4.11 4 mA
20mA Trimming C2.4.12 20 mA
Loop Current Mode C4.2.0 Enabled
Terminal C C2.1.5 Current Output
Density Calibration C1.2.1 Factory configuration
Operation Mode A8 Measurement
Density Mode C1.2.2 Process
Simulation functions for mass flow, volume flow, density and B3.2...B3.6 Disabled
temperature
Simulation function for safe current output B3.9 Disabled
Table 3-2: Fixed parameters in safe operation

Following parameters must be configured for safe operation of the device:

ID Parameter Menu reference Selection or values

- Device Tag C6.1 8 characters
1 Measurement C2.4.1 Mass Flow
Volume Flow
Density
2 Range (lower) C2.4.2 Depends on Measurement (ID 1)
3 Range (upper) C2.4.2 Depends on Measurement (ID 1)
4 Alarm Code C2.4.9 Low = 3.5 mA
High = 21.5 mA
5 Low Flow Cutoff (threshold) C2.4.3 0%…20%, referring to upper range value (ID 3)
6 Low Flow Cutoff (hysteresis) C2.4.3 0%…20%, referring to upper range value (ID 3)
7 Damping C2.4.4 0…100 s
8 Terminal C Type 1 C2.1.6 Active
Passive
9 Flow Direction C1.1.4 Forward
Backward
10 Zero Calibration 2 C1.1.1 Automatic
Factory Calibration
Manual
Cancel
Table 3-3: Changeable safety relevant parameters in safe configuration

1 Can only be configured for I/O variant (5) with code 4 (for details refer to Signal converter on page 8)
2 Not safety relevant if the measurement Density is selected

16 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 OPERATION 3

3.2.5 Safe parameter verification

The safe configuration must be verified either via local display or via HART® interface in order to
enter the safe operation state:

• Local display: Select menu item C7.3

• HART®: Use the device-specific DD or a DTM (only online mode)

During preparation of the safe parameter verification the following messages could be
displayed:

Message Description
Checking Parameters… Configuration is checked for plausibility.
Not allowed Device in safe operation or non-SIL operation. Therefore safe parameter
verification is not allowed.
Config. invalid Implausible configuration.
Press Return to Start Configuration checked successfully and verification can start.
Remove Jumper A lock jumper is set. Please remove it!
Table 3-4: Messages during safe parameter verification

This process can only be started if the configuration is plausible. During verification of the safe
configuration all safety relevant parameters must be reviewed guided by a wizard.

In the verification wizard all safety relevant parameters are displayed in the following format:

Local display HART DD or DTM

Table 3-5: Formats for display of safety relevant parameters

The parameter ID is used for identification of the parameter as described in the chapter "Safe
configuration" on page 16.

WARNING!
Check that all parameters listed in the table for the respective safe measurement are shown in
the verification process.
If the verification process is performed via HART® make sure that the correct device is
addressed by checking the device tag. Please make sure that the device tag is unique.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 17

3 OPERATION OPTIMASS 6400

3.2.6 Confirmation
During the last step of switching to safe operation or non-SIL operation the user must confirm
the action by entering a confirmation key. The device generates a random 3-digit confirmation
key which is displayed as depicted below.

When the safe configuration is confirmed, all safety relevant parameters are write-locked and
the device switches to safe operation state.

Local display HART DD or DTM

Table 3-6: Dialogue containing the confirmation key for safe operation

Message Description
Timeout occured The safe parameter verification must be completed within 1 hour. Please restart
safe parameter verification.
Wrong Key The entered confirmation key was incorrect. Please restart safe parameter
verification.
Successful Device is in safe operation or non-SIL operation.
Table 3-7: Description of messages

INFORMATION!
All safety relevant parameters are locked during safe operation. If not safety relevant
parameters shall be locked please set the operator password [2].

18 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 OPERATION 3

3.3 Safe current output states

Current output Value Description

condition
Measurement 4....20 mA Measuring the flow and put it on the current output.
Extended Range 3.8…20.5 mA The current output complies to NAMUR Recommendation NE 43 [5].
The measurement is scaled to an output current which saturates at
3.8 mA or 20.5 mA. In these two conditions, the current output value
is identified as a "non-safe" measurement.
Safe State  3.6 mA or For safe or dangerous detected failures, the device changes the safe
 21 mA current output to the failure current (failure signal) set in the device
configuration menu. Although this value can also be set to high
failure current value ( 21 mA), some hardware failures will always
cause the device to change to a low failure current value ( 3.6 mA).
Table 3-8: Safe current output states

WARNING!
We recommend not to use 3.8 mA or 20.5 mA as a limit for monitoring.
If the device is used in a safety loop both the high and low failure current must be monitored.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 19

3 OPERATION OPTIMASS 6400

3.4 Error conditions

The device can detect error conditions. When the device detects an error, it supplies a failure
current value to show that this is a temporary (transient) or permanent (persistent) failure.

• The device will supply a failure current if there is a safety-critical failure.

• The failure current is the only signal that is related to the safety function. Ignore data from
other outputs and display options (e.g. HART® handheld controller etc.).
• Make sure that you monitor the low failure current value ( 3.6 mA) and the high failure
current value ( 21 mA).
• The following table shows the types of error that are related to functional safety.

CAUTION!
Although the device can be set to send a high failure current signal ( 21 mA), some hardware
failures will always cause the device to send a low failure current signal ( 3.6 mA).

Error condition Description

Safety Rel. Failures Only safety relevant failures result in safe state.
Failures Safety relevant failures and not safety relevant device faults classified as NE 107 [6] failure
result in safe state.
Out Of Specification Safety relevant failures and not safety relevant device faults classified as NE 107 [6] failure
or out of specification result in safe state.
Table 3-9: Error conditions related to functional safety

INFORMATION!
If 2 phase flow detection is configured according to the handbook [2], it can be either used to
• set the safe state at the safe current output by setting "Proc: 2 Phase Flow" (C7.1.11) to
"Failure" or
• signal it via any not safety relevant I/O by setting "Proc: 2 Phase Flow" (C7.1.11) to "Out of
Specification"

20 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 OPERATION 3

For more data about error conditions, refer to the following table:

Error message Description Corrective actions

Electronics Temperature Electronics temperature exceeds limits. Protect electronics from heat by process or
out of Spec direct sunlight.
Flow out of Range Flow above max. flow rate for flow sensor. Check process conditions.
I/O Connection Load for safe current output too high (e.g. Check connection at safe current output,
open circuit) or hardware error in safe reduce load and perform reset errors.
current output.
Internal Comm. Error IO C Internal communication error in the device. Perform power reset. If the status returns,
contact the manufacturer.
IO C Failure Hardware failure in safe current output. Perform power reset, reset errors.
If the status returns, contact the
manufacturer.
Process Input Failure Sensor electronics failure. Perform power reset, reset errors.
If the status returns, contact the
manufacturer.
Safe Configuration Invalid Some safety relevant parameters are Reset to factory configuration.
invalid.
Safety Rel. Failure A safety relevant failure occurred described Check additional error messages.
by additional error messages.
Sensor Error Flow sensor defect. Replace the flow sensor.
Temp. or Strain Res. Def. Hardware failure in temperature or strain Check cabling in case of remote device or
measurement. replace flow sensor.
Table 3-10: Error conditions related to the device hardware

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 21

3 OPERATION OPTIMASS 6400

3.5 Homogeneous redundancy

3.5.1 How to set up a system with homogeneous redundancy
If two devices installed in series with the same parameters used to measure the flow, then they
can be used as a SIL 3 safety function. The two devices provide the same measurements.

The safety function data from each device are sent to one or more logic solvers. The logic solver
compares the data from the two devices to select a device status for each device.
If the difference between the data from each device exceeds the limit for the safety application,
then the logic solver uses the safety function to change the safety loop's status to "safe".

Figure 3-1: Homogeneous redundancy

1 Sensor subsystem
2 Measurement device A
3 Measurement device A' (second device with the same configuration as device A)
4 Logic subsystem

22 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 OPERATION 3

3.5.2 How to calculate the effect of common cause failures

An estimate of the effect of common cause failures (random hardware failures and systematic
failures) must agree with the methods given in Annex D of International Standard IEC 61508-6
(reference document [3]).

The installation method, maintenance strategy, and how you use the device will have an effect on
how you calculate the estimate.

To make an estimate, the analysis includes these conditions:

• different persons do the commissioning procedure and the proof tests,

• the device has a failure detection system,
• maintenance procedures are available in a document,
• approved maintenance personnel must identify and repair common cause failures, and
• only approved personnel can get access to the devices.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 23

4 SERVICE OPTIMASS 6400

4.1 Maintenance
Obey the maintenance instructions given in the handbook (document [1] [2]).

4.2 Availability of services

The manufacturer offers a range of services to support the customer after expiration of the
warranty. These include repair, maintenance, technical support and training.

INFORMATION!
For more precise information, please contact our local sales office.

4.3 Proof test

WARNING!
SIS engineers must use the PFDAVG target value to calculate the interval of time between proof
tests. This interval must be based on the specified PFDAVG.

CAUTION!
• Proof tests done by the customer must cover at least the tests given in this section.
• Keep a report of each proof test. These reports must include the date, the tests results (performance of
the safety function or faults found), a list of approved personnel who did the test and the report revision
number. These reports must be put into storage and made easily available.

Required equipment
• A current meter with uncertainty below the required uncertainty of current loop
• Calibration rig

Test procedure
The following tables show all possible proof test steps resulting in a test coverage.
For test step 2 the device must be unlocked and set to non-SIL operation.

Step Procedure Pass criteria

1 Perform power cycle (disconnect the device for 10 s Device starts without errors.
from the power supply) or a device reset.
2 Perform a 4-point current output check for safe The error of the measured current at the safe current
current output using the built-in simulation function output is below the required uncertainty of current
(menu B3.9), by setting the simulated current to loop.
3.6 mA, 4.0 mA, 20.0 mA and 22.0 mA. Measure the
current at the current output.
3 Visual inspection of device: sealings, containment, No physical damage or water ingress in the device.
housing and electrical wiring.
4 Compare the density reading with the expected The measurement uncertainty does not exceed the
density of your product. The measurement uncertainty maximum error specified in the handbook [2].
must not exceed the maximum error specified in the
handbook [2].
5 Check mass flow measurement accuracy with a The measurement uncertainty does not exceed the
calibration rig with at least at 2 measuring points or maximum error specified in the handbook [2].
return the device to the manufacturer for
recalibration. The measurement uncertainty must not
exceed the maximum error specified in the handbook
[2].
Table 4-1: Proof test steps

24 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 SERVICE 4

Proof Test Coverage

Proof test steps PTC

Step 1-2-3 77%
Steps 1-2-3-4 82%
Steps 1-2-3-4-5 97%
Table 4-2: Proof test steps with their proof test coverage

OPTICHECK can be used to perform the tests 1-4 in a simple way.

4.4 Calibration procedure

It is recommended to perform a zero calibration during every proof test or safe configuration.
The conditions for zero calibration in the handbook [2] must be taken into account.

In safe operation density factory calibration is used.

4.5 Troubleshooting
INFORMATION!
• The user must not make modifications to devices that operate in SIL mode.
• Only approved personnel from the manufacturer are permitted to repair the device.

If the device has a critical failure that is related to functional safety, send a report to the
technical support department of the manufacturer. If you find a problem, please inform your
local representative. If you must return the device to the manufacturer, refer to "Returning the
device to the manufacturer" in [1] [2].

4.6 Support for IEC 61508 approved devices

The manufacturer will inform about modifications which have an impact on the safety
characteristics or the safety function.

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 25

5 NOTES OPTIMASS 6400

26 www.krohne.com 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en

 OPTIMASS 6400 NOTES 5

11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en www.krohne.com 27

 KROHNE – Products, Solutions and Services
• Process instrumentation for flow, level, temperature, pressure measurement
and process analytics
• Flow metering, monitoring, wireless and remote metering solutions
© KROHNE 11/2021 - 4004960805 - AD OPTIMASS 6400 SIL R05 en - Subject to change without notice.

• Engineering, commissioning, calibration, maintenance and training services

Head Office KROHNE Messtechnik GmbH

Ludwig-Krohne-Str. 5
47058 Duisburg (Germany)
Tel.: +49 203 301 0
Fax: +49 203 301 10389
[email protected]
The current list of all KROHNE contacts and addresses can be found at:
www.krohne.com