KROHNE TT51 User Manual

Supplementary instructions

Supplementary instructions

TT 51 SERIES

TT 51 SERIES

TT 51 SERIESTT 51 SERIES

Supplementary instructions Supplementary instructions

2-wire transmitter for temperature, resistance or
voltage measurement

Safety manual SIL

Safety manual SIL

Safety manual SILSafety manual SIL

© KROHNE 09/2010 - 4000869801 - AD TT 51 SIL R01 en

CONTENTS

TT 51 SERIES

1 Introduction 3

1.1 Field of application ........................................................................................................... 3

1.2 User benefits .................................................................................................................... 3

1.3 Manufacturer’s safety instructions.................................................................................. 3

1.4 Relevant standards / Literature....................................................................................... 4

2 Terms and definitions 5

3 Description of the subsystem 6

3.1 Functional principle.......................................................................................................... 6

4 Safety function 7

4.1 Description of the failure categories ............................................................................... 7

4.2 Specification of the safety function .................................................................................. 7

4.3 Redundancy ...................................................................................................................... 8

4.3.1 Sensor drift ............................................................................................................................. 8

4.3.2 Sensor backup ........................................................................................................................ 9

5 Project planning 10

5.1 Applicable device documentation .................................................................................. 10

5.2 Project planning, behaviour during operation and malfunction.................................... 10

5.2.1 SIL data ................................................................................................................................. 10

6 Periodic checks / Proof tests 11

6.1 Periodic checks .............................................................................................................. 11

6.2 Proof tests ...................................................................................................................... 11

7 Safety-related characteristics 13

7.1 Assumptions ................................................................................................................... 13

7.2 Specific safety-related characteristics .......................................................................... 14

8 Appendix 19

8.1 Declaration of conformity for Functional Safety (SIL) ................................................... 19

8.2 exida / FMEDA management summary ......................................................................... 20

8.3 Return / maintenance form............................................................................................ 23

2

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

1.1 Field of application

The TT 51 C is a universal, isolated, dual-input temperature transmitter for RTD and

thermocouple sensors. It’s primarily intended to be mounted in a DIN-B housing.

TT 51 R is the rail mounted version of the TT 51 series.

TT 51 C Ex and TT 51 R Ex are the intrinsically safe versions of the TT 51 series. An S is added for
the SIL versions, e.g. TT 51 C ExS.

The TT 51 temperature transmitter utilizes a modular design in hardware as well as in software
to ensure the quality and reliability of the transmitter signal output to meet the special safety
requirements according to IEC 61508-2.

1.2 User benefits

• This intelligent HART® temperature transmitter is designed to perform temperature
measurements of solids, fluids and gases up to SIL2 according to special safety requirements
of IEC 61508-2 (see exida FMEDA report KROHNE 09/12-72 R011).

• Remote configuration with process control system, PC or HART
possible in combination with SIL activation to prevent unintended changes, only read-out of

parameters from the unit is possible via HART
function the software ConSoft and USB-kit ICON must be used.

• Continuous measurement

• Easy commissioning

INTRODUCTION 1

®

hand terminal is not

®

. To change settings or deactivate the SIL

not

notnot

SIL2 requirements are based on the standards current at the time of certification.

The TT 51 S certification involves the HW assessment of the TT 51 S products with an FMEDA.

1.3 Manufacturer’s safety instructions

The measuring device has been built and tested in accordance with the current state of the art,
and complies with the relevant safety standards.

However, dangers may arise from improper use or use for other than intended purpose.

For this reason, observe all the safety instructions in this document carefully.

INFORMATION!

This "Safety manual" is a complement to the regular handbook.
In addition to the safety rules in this documentation, national and regional safety rules and
industrial safety regulations must also be observed.

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

3

1 INTRODUCTION

1.4 Relevant standards / Literature

•[N1]• IEC 61508 part 2 - Functional safety of electrical/electronic/programmable electronic

safety-related systems;

• Part 2: Requirements for electrical/electronic/programmable electronic safety­related systems

•[N2]• IEC 61326-3-1:2008 - Immunity requirements for safety-related systems and for
equipment intended to perform safety-related functions (functional safety) - General
industrial applications

•[N3]• Namur NE 21 - Electromagnetic compatibility of industrial process and laboratory
control equipment

•[N4]• Namur NE 32 - Data retention in the event of a power failure in field and control
instruments with microprocessors

•[N5]• Namur NE 43 - Standardization of the signal level for the failure information of digital
transmitters

•[N6]• Namur NE 53 - Software of field devices and signal processing devices with digital
electronics

•[N7]• Namur NE 79 - Microprocessor equipped devices for safety instrumented systems

•[N8]• Namur NE 89 - Temperature transmitter with digital signal processing

•[N9]• Namur NE 107 - Self-monitoring and diagnosis of field devices

•[N10]• EN 60079-0:2006 - Electrical apparatus for explosive gas atmospheres;

• Part 0: General requirements

•[N11]• EN 60079-11:2007 - Explosive atmospheres;

• Equipment protection by intrinsic safety "i"

•[N12]• EN 60079-15:2005 - Electrical apparatus for explosive gas atmospheres

• Part 15: Construction, test and marking of type of protection "n" electrical apparatus

•[N13]• EN 60079-26:2007 - Explosive atmospheres

• Part 26: Equipment with equipment protection level (EPL) Ga

TT 51 SERIES

4

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

Used abbreviations

TERMS AND DEFINITIONS 2

DC

D

FIT

FMEA Failure Modes Effects Analysis is a structured qualitative analysis of a system,

FMEDA Failure Modes Effects and Diagnostic Analysis adds a qualitative failure data for all

HFT Hardware Fault Tolerance

Low demand mode Mode, where the frequency of demand for operation made on a safety-related

High demand
mode

MTBF Mean Time Between Failure is average time between failure occurrences.

MTTR Mean Time To Restoration is average time needed to restore normal operation after

PFD

AVG

PFH Probability of Failure per Hour is the probability of a system to have a dangerous

SFF Safe Failure Fraction summarizes the fraction of failure, which lead to a safe state

SIF Safety Instrumented Function

SIL Safety Integrity Level

Type A component "Non-complex" subsystem (all failure modes are well defined);

Type B component "Complex" subsystem (at least one failure mode are not well defined);

T[Proof] Proof Test Interval

Diagnostic Coverage of dangerous failures.
Diagnostic coverage is the ratio of the detected failure rate to the total failure rate.

Failure In Time (1x10-9 failures per hour)

subsystem, process, design or function to identify potential failure modes, their
causes and their effects on (system) operation.

components being analyzed and ability of the system to detect internal failures via
automatic on-line diagnostics parts to FMEA.

system is not greater than one per year and not greater than twice the proof-test
frequency.

Mode, where the frequency of demands for operation made on a safety-related
system is greater than one per year and greater than twice the proof-check
frequency.

a failure has occurred.

Probability of Failure on Demand is the average probability of a system to fail to
perform its design function on demand.

failure occur per hour.

and the fraction of failures which will be detected by diagnostic measures and lead
to a defined safety action.

for details see 7.4.3.1.2 of IEC 61508-2.

for details see 7.4.3.1.3 of IEC 61508-2.

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

5

3 DESCRIPTION OF THE SUBSYSTEM

3.1 Functional principle

The TT 51 series supports up to two sensor channels with general input circuits that may be
configured for RTD and/or thermocouple temperature sensors.

All safety related calculations are based on these connections.

Functional principle of the TT 51 series is based on the analog to digital and back to analog signal
conditioning. The temperature sensors used are either Resistance Temperature Device(s) (RTD)
or thermocouple(s) (T/C). The RTD has a temperature dependent, non-linear, variable resistance
while the T/C generates a low level, highly non-linear, EMF (voltage) that depends on the
temperature difference between opposite ends of the T/C wire pair. Hence the connection end of
the T/C (cold junction) constitutes a temperature reference or base value that has to be
measured in order to determine the temperature at the critical spot (hot junction). This action is
referred to as cold junction compensation (CJC). One or two sensors of the same or different
types may be connected.

The low level analogue signal from temperature sensors is amplified and filtered before
converting it to a digital signal. The digital signal is less prone to electromagnetic interference.
Digital signal processing like sensor linearization, calculation, temperature drift compensation
etc. is controlled by processors, isolated and converted back to analogue 4...20 mA output signal.

TT 51 SERIES

The TT 51 are smart temperature transmitter which improves predicting problems within the

industrial safety instrumented systems – SIS, reducing the manual testing.

The TT 51 is a modular and configurable system with the ability to pre-configure inputs for
measuring sensor(s) and outputs to fault conditions. Configuration of the transmitter is
protected by password.

6

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

4.1 Description of the failure categories

The following definitions of the failure are used during diagnostic calculations:

SAFETY FUNCTION 4

Fail-Safe State The fail-safe state is defined as the output reaching the user defined

Fail - Safe A safe failure (S) is defined as a failure that causes the

Fail Dangerous A dangerous failure is defined as a failure of the temperature transmitter

Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by internal

Fail Dangerous Detected Failure that is dangerous but is detected by internal diagnostics and

Fail High Failure that causes the output signal to go to the maximum output current

Fail Low Failure that causes the output signal to go to the minimum output current

No Effect Failure of a component that is part of the safety function but is neither a

Not part Failures of a component which is not part of the safety function but part of

threshold value.

module/(sub)system to go to the defined fail-safe state without a demand
from the process. Safe failures are divided into safe detected (SD) and safe
undetected (SU) failures.

TT 51 C not responding to a demand from the process, i.e. being unable to
go to the defined fail-safe state, and the output current deviates by more
than 2% of measuring span of the actual temperature measurement
value.

diagnostics.

causes the output signal to go to the predefined alarm state (These
failures may be converted to the selected fail-safe state).

(> 21 mA) acc. to NAMUR NE 43.

(< 3.6 mA) acc. to NAMUR NE 43.

safe failure nor a dangerous failure and has no effect on the safety
function. For the calculation of the SFF it is treated like a safe undetected
failure.

the circuit diagram.

4.2 Specification of the safety function

The safety function of the TT 51 transmitter is the quality and reliability of the transmitter signal
output, i.e. measurement performance, error detection and error indication in the signal­processing path of the transmitter.

The valid range of the output signal is between 3.8 mA and 20.5 acc. to NE 43.

The failure information is defined by two selectable alarm levels: Fail Low (Downscale ≤ 3.6 mA)
and Fail High (Upscale ≥ 21 mA).

The configuration of the transmitter is protected by the password in the software ConSoft. The
password is then stored in the transmitter.

The TT 51 checks sensor errors (sensor break or sensor short) for both channels if it is
configured in this manner.

A software SIL-switch is available in the transmitter, handled by the PC-configuration software
ConSoft. It is also password-protected. It can also be changed by HART

password-protected.

®

communication, still

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

7

4 SAFETY FUNCTION

Function Active/Not Active Output Alarm level 1

Sensor break Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Sensor short Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Low isolation Not active - ­System error 2 Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Sensor drift (dual
sensor needed) 3

1 For some system failures the alarm output will toggle between a high alarm level (≥21.0 mA)
and a low alarm level (≤3.6 mA). For some HW failures the alarm level will be high even though a
low level is configured and for some other HW failures the alarm will go low even though a high
level has been selected.

To prevent a safety system from restart due to the toggling output the system should be setup so

that once an alarm signal has occurred from the safety loop the system shouldn’t go back to

normal run automatically but only manual ("Restart Interlock").

2 System errors = failures in the software or hardware detected by the diagnostics in the
transmitter.

Active/Not Active
selectable

TT 51 SERIES

4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

3 The sensor drift function is valid from SW-versions; IPM-SW 01.01.03 and OPM-SW 01.01.04
and hardware versions 5 and later, implemented in transmitters with serial number 1006.xxxxxx
or later. Serial number 1006.xxxxxx means manufactured week 6 in 2010 and this information is
found on the nameplate or it can be read from the transmitter via ConSoft. The software and
hardware versions can be read from the ConSoft software, tab "Device Information".

4.3 Redundancy

For the following configurations:

• 2 x 2w RTD sensors

• 2 x 3w RTD sensors

• 2 x Thermocouple sensors

• 1x Thermocouple sensor and 1 x 3w RTD sensor

• 1x Thermocouple sensor and 1 x 4w RTD sensor (only valid for TT 51 R)

are either "Sensor drift monitoring" function or "Sensor backup" function selectable at a time.

4.3.1 Sensor drift

If the function "Sensor drift" monitoring is selected, a difference between the sensors of more or
equal to the value stated in the configuration will cause the output to go either "Downscale" or
"Upscale" depending on the user configuration. Maximum temperature difference has to be

specified in °C via ConSoft.

8

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en