KROHNE TT51 User Manual

Supplementary instructions

Supplementary instructions

TT 51 SERIES

TT 51 SERIES

TT 51 SERIESTT 51 SERIES

Supplementary instructions Supplementary instructions

2-wire transmitter for temperature, resistance or
voltage measurement

Safety manual SIL

Safety manual SIL

Safety manual SILSafety manual SIL

© KROHNE 09/2010 - 4000869801 - AD TT 51 SIL R01 en

CONTENTS

TT 51 SERIES

1 Introduction 3

1.1 Field of application ........................................................................................................... 3

1.2 User benefits .................................................................................................................... 3

1.3 Manufacturer’s safety instructions.................................................................................. 3

1.4 Relevant standards / Literature....................................................................................... 4

2 Terms and definitions 5

3 Description of the subsystem 6

3.1 Functional principle.......................................................................................................... 6

4 Safety function 7

4.1 Description of the failure categories ............................................................................... 7

4.2 Specification of the safety function .................................................................................. 7

4.3 Redundancy ...................................................................................................................... 8

4.3.1 Sensor drift ............................................................................................................................. 8

4.3.2 Sensor backup ........................................................................................................................ 9

5 Project planning 10

5.1 Applicable device documentation .................................................................................. 10

5.2 Project planning, behaviour during operation and malfunction.................................... 10

5.2.1 SIL data ................................................................................................................................. 10

6 Periodic checks / Proof tests 11

6.1 Periodic checks .............................................................................................................. 11

6.2 Proof tests ...................................................................................................................... 11

7 Safety-related characteristics 13

7.1 Assumptions ................................................................................................................... 13

7.2 Specific safety-related characteristics .......................................................................... 14

8 Appendix 19

8.1 Declaration of conformity for Functional Safety (SIL) ................................................... 19

8.2 exida / FMEDA management summary ......................................................................... 20

8.3 Return / maintenance form............................................................................................ 23

2

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

1.1 Field of application

The TT 51 C is a universal, isolated, dual-input temperature transmitter for RTD and

thermocouple sensors. It’s primarily intended to be mounted in a DIN-B housing.

TT 51 R is the rail mounted version of the TT 51 series.

TT 51 C Ex and TT 51 R Ex are the intrinsically safe versions of the TT 51 series. An S is added for
the SIL versions, e.g. TT 51 C ExS.

The TT 51 temperature transmitter utilizes a modular design in hardware as well as in software
to ensure the quality and reliability of the transmitter signal output to meet the special safety
requirements according to IEC 61508-2.

1.2 User benefits

• This intelligent HART® temperature transmitter is designed to perform temperature
measurements of solids, fluids and gases up to SIL2 according to special safety requirements
of IEC 61508-2 (see exida FMEDA report KROHNE 09/12-72 R011).

• Remote configuration with process control system, PC or HART
possible in combination with SIL activation to prevent unintended changes, only read-out of

parameters from the unit is possible via HART
function the software ConSoft and USB-kit ICON must be used.

• Continuous measurement

• Easy commissioning

INTRODUCTION 1

®

hand terminal is not

®

. To change settings or deactivate the SIL

not

notnot

SIL2 requirements are based on the standards current at the time of certification.

The TT 51 S certification involves the HW assessment of the TT 51 S products with an FMEDA.

1.3 Manufacturer’s safety instructions

The measuring device has been built and tested in accordance with the current state of the art,
and complies with the relevant safety standards.

However, dangers may arise from improper use or use for other than intended purpose.

For this reason, observe all the safety instructions in this document carefully.

INFORMATION!

This "Safety manual" is a complement to the regular handbook.
In addition to the safety rules in this documentation, national and regional safety rules and
industrial safety regulations must also be observed.

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

3

1 INTRODUCTION

1.4 Relevant standards / Literature

•[N1]• IEC 61508 part 2 - Functional safety of electrical/electronic/programmable electronic

safety-related systems;

• Part 2: Requirements for electrical/electronic/programmable electronic safety­related systems

•[N2]• IEC 61326-3-1:2008 - Immunity requirements for safety-related systems and for
equipment intended to perform safety-related functions (functional safety) - General
industrial applications

•[N3]• Namur NE 21 - Electromagnetic compatibility of industrial process and laboratory
control equipment

•[N4]• Namur NE 32 - Data retention in the event of a power failure in field and control
instruments with microprocessors

•[N5]• Namur NE 43 - Standardization of the signal level for the failure information of digital
transmitters

•[N6]• Namur NE 53 - Software of field devices and signal processing devices with digital
electronics

•[N7]• Namur NE 79 - Microprocessor equipped devices for safety instrumented systems

•[N8]• Namur NE 89 - Temperature transmitter with digital signal processing

•[N9]• Namur NE 107 - Self-monitoring and diagnosis of field devices

•[N10]• EN 60079-0:2006 - Electrical apparatus for explosive gas atmospheres;

• Part 0: General requirements

•[N11]• EN 60079-11:2007 - Explosive atmospheres;

• Equipment protection by intrinsic safety "i"

•[N12]• EN 60079-15:2005 - Electrical apparatus for explosive gas atmospheres

• Part 15: Construction, test and marking of type of protection "n" electrical apparatus

•[N13]• EN 60079-26:2007 - Explosive atmospheres

• Part 26: Equipment with equipment protection level (EPL) Ga

TT 51 SERIES

4

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

Used abbreviations

TERMS AND DEFINITIONS 2

DC

D

FIT

FMEA Failure Modes Effects Analysis is a structured qualitative analysis of a system,

FMEDA Failure Modes Effects and Diagnostic Analysis adds a qualitative failure data for all

HFT Hardware Fault Tolerance

Low demand mode Mode, where the frequency of demand for operation made on a safety-related

High demand
mode

MTBF Mean Time Between Failure is average time between failure occurrences.

MTTR Mean Time To Restoration is average time needed to restore normal operation after

PFD

AVG

PFH Probability of Failure per Hour is the probability of a system to have a dangerous

SFF Safe Failure Fraction summarizes the fraction of failure, which lead to a safe state

SIF Safety Instrumented Function

SIL Safety Integrity Level

Type A component "Non-complex" subsystem (all failure modes are well defined);

Type B component "Complex" subsystem (at least one failure mode are not well defined);

T[Proof] Proof Test Interval

Diagnostic Coverage of dangerous failures.
Diagnostic coverage is the ratio of the detected failure rate to the total failure rate.

Failure In Time (1x10-9 failures per hour)

subsystem, process, design or function to identify potential failure modes, their
causes and their effects on (system) operation.

components being analyzed and ability of the system to detect internal failures via
automatic on-line diagnostics parts to FMEA.

system is not greater than one per year and not greater than twice the proof-test
frequency.

Mode, where the frequency of demands for operation made on a safety-related
system is greater than one per year and greater than twice the proof-check
frequency.

a failure has occurred.

Probability of Failure on Demand is the average probability of a system to fail to
perform its design function on demand.

failure occur per hour.

and the fraction of failures which will be detected by diagnostic measures and lead
to a defined safety action.

for details see 7.4.3.1.2 of IEC 61508-2.

for details see 7.4.3.1.3 of IEC 61508-2.

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

5

3 DESCRIPTION OF THE SUBSYSTEM

3.1 Functional principle

The TT 51 series supports up to two sensor channels with general input circuits that may be
configured for RTD and/or thermocouple temperature sensors.

All safety related calculations are based on these connections.

Functional principle of the TT 51 series is based on the analog to digital and back to analog signal
conditioning. The temperature sensors used are either Resistance Temperature Device(s) (RTD)
or thermocouple(s) (T/C). The RTD has a temperature dependent, non-linear, variable resistance
while the T/C generates a low level, highly non-linear, EMF (voltage) that depends on the
temperature difference between opposite ends of the T/C wire pair. Hence the connection end of
the T/C (cold junction) constitutes a temperature reference or base value that has to be
measured in order to determine the temperature at the critical spot (hot junction). This action is
referred to as cold junction compensation (CJC). One or two sensors of the same or different
types may be connected.

The low level analogue signal from temperature sensors is amplified and filtered before
converting it to a digital signal. The digital signal is less prone to electromagnetic interference.
Digital signal processing like sensor linearization, calculation, temperature drift compensation
etc. is controlled by processors, isolated and converted back to analogue 4...20 mA output signal.

TT 51 SERIES

The TT 51 are smart temperature transmitter which improves predicting problems within the

industrial safety instrumented systems – SIS, reducing the manual testing.

The TT 51 is a modular and configurable system with the ability to pre-configure inputs for
measuring sensor(s) and outputs to fault conditions. Configuration of the transmitter is
protected by password.

6

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

4.1 Description of the failure categories

The following definitions of the failure are used during diagnostic calculations:

SAFETY FUNCTION 4

Fail-Safe State The fail-safe state is defined as the output reaching the user defined

Fail - Safe A safe failure (S) is defined as a failure that causes the

Fail Dangerous A dangerous failure is defined as a failure of the temperature transmitter

Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by internal

Fail Dangerous Detected Failure that is dangerous but is detected by internal diagnostics and

Fail High Failure that causes the output signal to go to the maximum output current

Fail Low Failure that causes the output signal to go to the minimum output current

No Effect Failure of a component that is part of the safety function but is neither a

Not part Failures of a component which is not part of the safety function but part of

threshold value.

module/(sub)system to go to the defined fail-safe state without a demand
from the process. Safe failures are divided into safe detected (SD) and safe
undetected (SU) failures.

TT 51 C not responding to a demand from the process, i.e. being unable to
go to the defined fail-safe state, and the output current deviates by more
than 2% of measuring span of the actual temperature measurement
value.

diagnostics.

causes the output signal to go to the predefined alarm state (These
failures may be converted to the selected fail-safe state).

(> 21 mA) acc. to NAMUR NE 43.

(< 3.6 mA) acc. to NAMUR NE 43.

safe failure nor a dangerous failure and has no effect on the safety
function. For the calculation of the SFF it is treated like a safe undetected
failure.

the circuit diagram.

4.2 Specification of the safety function

The safety function of the TT 51 transmitter is the quality and reliability of the transmitter signal
output, i.e. measurement performance, error detection and error indication in the signal­processing path of the transmitter.

The valid range of the output signal is between 3.8 mA and 20.5 acc. to NE 43.

The failure information is defined by two selectable alarm levels: Fail Low (Downscale ≤ 3.6 mA)
and Fail High (Upscale ≥ 21 mA).

The configuration of the transmitter is protected by the password in the software ConSoft. The
password is then stored in the transmitter.

The TT 51 checks sensor errors (sensor break or sensor short) for both channels if it is
configured in this manner.

A software SIL-switch is available in the transmitter, handled by the PC-configuration software
ConSoft. It is also password-protected. It can also be changed by HART

password-protected.

®

communication, still

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

7

4 SAFETY FUNCTION

Function Active/Not Active Output Alarm level 1

Sensor break Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Sensor short Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Low isolation Not active - ­System error 2 Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Sensor drift (dual
sensor needed) 3

1 For some system failures the alarm output will toggle between a high alarm level (≥21.0 mA)
and a low alarm level (≤3.6 mA). For some HW failures the alarm level will be high even though a
low level is configured and for some other HW failures the alarm will go low even though a high
level has been selected.

To prevent a safety system from restart due to the toggling output the system should be setup so

that once an alarm signal has occurred from the safety loop the system shouldn’t go back to

normal run automatically but only manual ("Restart Interlock").

2 System errors = failures in the software or hardware detected by the diagnostics in the
transmitter.

Active/Not Active
selectable

TT 51 SERIES

4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

3 The sensor drift function is valid from SW-versions; IPM-SW 01.01.03 and OPM-SW 01.01.04
and hardware versions 5 and later, implemented in transmitters with serial number 1006.xxxxxx
or later. Serial number 1006.xxxxxx means manufactured week 6 in 2010 and this information is
found on the nameplate or it can be read from the transmitter via ConSoft. The software and
hardware versions can be read from the ConSoft software, tab "Device Information".

4.3 Redundancy

For the following configurations:

• 2 x 2w RTD sensors

• 2 x 3w RTD sensors

• 2 x Thermocouple sensors

• 1x Thermocouple sensor and 1 x 3w RTD sensor

• 1x Thermocouple sensor and 1 x 4w RTD sensor (only valid for TT 51 R)

are either "Sensor drift monitoring" function or "Sensor backup" function selectable at a time.

4.3.1 Sensor drift

If the function "Sensor drift" monitoring is selected, a difference between the sensors of more or
equal to the value stated in the configuration will cause the output to go either "Downscale" or
"Upscale" depending on the user configuration. Maximum temperature difference has to be

specified in °C via ConSoft.

8

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

4.3.2 Sensor backup

If "Sensor backup" function is activated the sensor chosen as output measuring in the

configuration will reflect the actual measuring value as long as it’s working properly. A sensor

break or a sensor short cause the transmitter to switch over to the other sensor and the output
signal will reflect the measured value of that sensor. A diagnostic message is transmitted via

®

HART

If the "Average" function is activated in the configuration, the output value will reflect the actual
mean measuring value as long as the sensors are working properly. A sensor break or a sensor
short cause the transmitter to switch over to the non-broken sensor and the output signal will

reflect the measured value of that sensor. A diagnostic message is transmitted via HART
PLC.

INFORMATION!

The functions "Sensor backup" and "Average" doesn't give any extra safety according to SIL and
are not used for calculating the system (transmitter + sensor) safety figures.

CAUTION!

The possibility to select the function for sensor drift monitoring is implemented in software
revision IPM-SW 01.01.03 and OPM-SW 01.01.04, from serial number 1006.xxxxxx.

to the PLC.

SAFETY FUNCTION 4

®

to the

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

9

5 PROJECT PLANNING

5.1 Applicable device documentation

TT 51 SERIES

[D1] TT 51 series - Technical Datasheet: 2-wire transmitter for temperature, resistance or voltage

[D2] TT 51 series - Handbook: 2-wire transmitter for temperature, resistance or voltage

[D3] exida FMEDA report: KROHNE 09/12-72 R011

measurement

Reference: 08/2010 - 4000869702 - TD TT51 R02 en

measurement

Reference: 08/2010 - 4000754201 - MA TT51 R01 en

5.2 Project planning, behaviour during operation and malfunction

• Under normal conditions the useful operating lifetime is 10 years (8...12 years).

• Requirements made in the handbook have to be kept.

• Repair and inspection intervals are based on safety calculation.

• For repairs or recalibration of the SIL transmitter, use the original or a suitable secure

packing, include a properly filled out return form (see Appendix) and send the device to the
manufacturer for service.
Note: It is of vital importance that all type of failures of the equipment are reported to the
manufacturer in order to make it possible for the company to make corrective actions and
prevent systematic errors.

• The owner of hazardous waste is responsible for disposal of it. However all transmitter

produced by the manufacturer are free from any hazardous materials.

• Modifications made without specifically authorization of the manufacturer are strictly

prohibited.

5.2.1 SIL data

• Measurement accuracy in SIL mode: a hardware error influencing the measured value will

• System Error Detection Time: < 5 min (for a complete software check running in background

• Update times for input signals change, with filter set to default value 4 and SIL-switch on: 1

• Update times for input signals change, with filter set to default value 4 and SIL-switch on: 2

• Minimum supply needed for system safety functions to work properly: ≥ 15 VDC

result in a system error signal if the measured signal deviates more than 2% of selected input
span

when SIL is activated)

input channel: <2s

input channels: < 3 s

10

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

6.1 Periodic checks

The user of the transmitter is responsible for:

• The set-up, SIL rating and validation of any sensors connected to the transmitter

• Project management and functional testing

• Configuration of the transmitter according to the description in the following chapters.

It is recommended that the user performs regularly proof tests of the sensors used with the SIL
transmitters.

Proof test of the SIL transmitter should be made based on the required PFD depending on the
used sensor. For detailed information refer to

For PFH figures a proof test interval of one year is recommended. The needed frequency of proof
tests necessary for the safety-related system must be found by the customer.

The proof tests should be done by the user at following measures:

• At commissioning of the SIL transmitter

• Replacement of the old connected temperature sensor by new ones

• Reconfiguration of the SIL device

• At need of the SIL transmitter relocation

PERIODIC CHECKS / PROOF TESTS 6

Safety-related characteristics

on page 13.

6.2 Proof tests

The proof tests shall cover SIL safety test requirements. Up to 99% of the internal failures shall
be detected via the proof tests. The input to the SIL transmitter is simulated and tested for the
internal errors in the hardware and the firmware.

Proof test configuration

Step Description

1 Connect transmitter to the PC via USB interface.

2 Start ConSoft (Check version: "Help menu → About").

3 Identify transmitter by clicking on "Read from transmitter" button.

4 Decide the choice of the SIL password (default value is "0000").

5 Configure the transmitter by selecting sensors tab in the transmitter window.

5.1 The sensor for Channel 1 and the connection for Channel 1.

5.2 The sensor for Channel 2 and the connection for Channel 2.

6 Choose measuring range for process value by selecting "Function" tab in the transmitter window

6.1 Select measuring output mapping (Channel 1; Channel 2; Ch 1 minus Ch 2; Ch 2 minus Ch 1; minimum of Ch

6.2 Select output values in mA which correspond to the chosen measuring range.

6.3 Select filtering level and line frequency rejection.

7 In the error monitoring tab select check box for sensor break. Select upscale (≥21 mA) value.

7.1 Select check box for sensor short circuit. Select upscale (≥21 mA) value.

7.2 Select check box for sensor low isolation. Select upscale (≥21 mA) value.

7.3 Select check box for sensor backup.

1 and Ch 2; maximum of Ch 1 and Ch 2; Average of Ch 1 and Ch 2).

Select desired resistance limit; default: 300 kΩ

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

11

6 PERIODIC CHECKS / PROOF TESTS

Step Description

8 Select device information tab. Specify a mounting date in tag field.

8.1 Describe the proof test in the description field and date of the test.

8.2 Specify any other information in the message field.

Proof test check points

Step Description Yes No Comments

TT 51 SERIES

1 Connect the selected sensors on Ch 1 and Ch 2 and

2 Simulate sensor break for each single wire and check

3 Simulate sensor short between 1...5 terminals and

4 Simulate sensor break or sensor short (one error at a

check for the output range values.

the output value (≥21 mA).

check the output value (≥21 mA).

time) for sensor connected on Ch 1. Check if the
transmitter will switch automatically over to
measuring on Ch 2.

• Repeat configurations points 7...8.2 of the proof test configuration and change to down scale

error value (≤3.6 mA).

• Repeat all check points (to be sure the transmitter is not stuck in some of conditions).

12

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

7.1 Assumptions

The following assumptions have been made during the Failure Modes, Effects and Diagnostic
Analysis of the HART

• Failure rates are constant, wear out mechanisms are not included.

• Propagation of failures is not relevant.

• External power failure rates are not included.

• The mean time to restoration (MTTR) after safe failure is 24 hours.

• For safety applications only the 4..20 mA output was considered. The HART

TT 51 C&R is only used for setup and diagnostic purpose, not during safety operation mode.

• The failure rates of the electronic components used in this analysis are obtained from a

collection of industrial databases.

• The temperature transmitters with 4..20 mA output are considered to be type B subsystems

with a hardware fault tolerance of 0.

• The failure rates do not include failures resulting from incorrect use of the equipment.

• The HART

safety operation mode.

SAFETY-RELATED CHARACTERISTICS 7

®

temperature transmitter TT 51 C&R SIL.

®

protocol at

®

protocol is only used for setup, calibration and diagnostics purpose, not during

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

13

7 SAFETY-RELATED CHARACTERISTICS

7.2 Specific safety-related characteristics

According to table 2 of IEC 61508-1 the average PFD for systems operating in low demand mode

-3

has to be ≥10
high demand mode of operation the PFH value has to be ≥10

table 3 of IEC 61508-1. A generally accepted distribution of PFD
the sensor part, logic solver part, and final element part assumes that 35% of the total SIF

PFD

value is caused by the sensor part (including the transmitter).

avg

to ≤10-2 for SIL 2 Safety Instrumented Functions (SIFs). For systems operating in

TT 51 SERIES

-7

to ≤10-6 for SIL 2 SIFs according to

and PFH values of a SIF over

avg

For a SIL 2 application operating in low demand
smaller than 1.00E-02, hence the maximum allowable PFD

low demand mode the total PFD

low demandlow demand

value for the sensor part would

avg

value of the SIF should be

avg

then be 3.50E-03.

For a SIL 2 application operating in high demand

high demand mode the total PFH value for the SIF should be

high demandhigh demand
smaller than 1.00E-06 1/h, hence the maximum allowable PFH value for the sensor part would
be 3.50E-07 1/h.

For type B components with a hardware fault tolerance of 0 the SFF shall be > 90% for SIL 2 SIFs
according to table 3 of IEC 61508-2.

λSD: Fail safe detected

λSU: Fail safe undetected

λDD: Fail dangerous detected

λDU: Fail dangerous undetected

FIT: Failure rate [1/h]

SFF: The number listed is for reference only. The SFF, PFD

the complete subsystem.

PFD

: The PFD

avg

T[Proof]: It is assumed that proof testing is performed with a proof test coverage of 99%.

PFH: = λDU (Fail dangerous undetected)

SIL AC: SIL AC (architectural constraints) means that the calculated values are within the range for

considered in combination with PFD
Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL)
For SIL 1 applications, the PFD

For SIL 2 applications, the PFD

hardware architectural constraints for the corresponding SIL level

was calculated for profile 2 using Markov modeling. The results must be

avg

avg

avg

values of other devices of the Safety Instrumented

avg

value needs to be < 10-1 for the SIF.
value needs to be < 10-2 for the SIF.

and PFH must be determined for

avg

14

Under the assumptions described in the chapter before and the definitions given in chapter
"Desription of the failure categories" the following table show the failure rates according to
IEC 61508.

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

Single RTD 2/3w sensor

SAFETY-RELATED CHARACTERISTICS 7

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

The boxes marked in light grey in the following tables mean that the calculated PFD
PFH values are within the allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 but do not

fulfill the requirement to not claim more than 35% of this range, i.e. to be better than or equal to

3.50E-03 respectively 3.50E-07 1/h.
The boxes marked in medium grey mean that the calculated PFD

allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 and do fulfill the requirement to not
claim more than 35% of this range, i.e. to be better than or equal to 3.50E-03 respectively

3.50E-07 1/h.
The boxes marked in dark grey indicate that the PFD

the requirements for SIL 2 of table 2 / 3 of IEC 61508-1.

Failure category SFF PFD

λSDλSUλ

DDλDU

avg

at T

= PFH SIL AC

proof

[FIT] [%] 1 year 2 years 5 years 10 years

0 146 427 49 92.1 2.44E-04 4.57E-04 1.09E-03 2.16E-03 4.90E-08 SIL 2

0 146 1175 213 86.1 1.05E-03 1.97E-03 4.74E-03 9.36E-03 2.13E-07 (SIL 2)

0 146 768 135 87.1 6.63E-04 1.25E-03 3.00E-03 5.93E-03 1.35E-07 (SIL 2)

0 146 7988 1940 80.7 9.45E-03 1.79E-02 4.31E-02 8.52E-02 1.94E-06 (SIL 1)

and/or

avg

and PFH values are within the

avg

respectively the PFH values do not fulfill

avg

Dual RTD 3w sensor with activated sensor drift monitoring

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

Failure category SFF PFD

λSDλSUλ

DD

λ

DU

[FIT] [%] 1 year 2 years 5 years 10 years

0 146 483 41 93.9 2.07E-04 3.85E-04 9.18E-04 1.81E-03 4.10E-08 SIL 2

0 146 2291 57 97.7 3.27E-04 5.74E-04 1.35E-03 2.55E-03 5.70E-08 SIL 2

0 146 1329 50 96.7 2.71E-04 4.87E-04 1.14E-03 2.22E-03 5.00E-08 SIL 2

0 146 19198 230 98.8 1.56E-03 2.56E-03 5.55E-03 1.05E-02 2.30E-07 (SIL 1)

avg

at T

= PFH SIL AC

proof

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

15

7 SAFETY-RELATED CHARACTERISTICS

Single RTD 4w sensor

TT 51 SERIES

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

The boxes marked in light grey in the following tables mean that the calculated PFD
PFH values are within the allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 but do not

fulfill the requirement to not claim more than 35% of this range, i.e. to be better than or equal to

3.50E-03 respectively 3.50E-07 1/h.
The boxes marked in medium grey mean that the calculated PFD

allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 and do fulfill the requirement to not
claim more than 35% of this range, i.e. to be better than or equal to 3.50E-03 respectively

3.50E-07 1/h.
The boxes marked in dark grey indicate that the PFD

the requirements for SIL 2 of table 2 / 3 of IEC 61508-1.

Failure category SFF PFD

λSDλSUλ

DD

λ

DU

avg

at T

= PFH SIL AC

proof

[FIT] [%] 1 year 2 years 5 years 10 years

0 146 436 43 93.1 2.16E-04 4.02E-04 9.62E-04 1.89E-03 4.30E-08 SIL 2

0 146 1338 90 94.2 4.62E-04 8.52E-04 2.02E-03 3.97E-03 9.00E-08 (SIL 2)

0 146 883 45 95.8 2.36E-04 4.31E-04 1.024E-03 1.99E-03 4.50E-08 SIL 2

0 146 10288 140 98.6 9.15E-04 1.52E-03 3.34E-03 6.38E-03 1.40E-07 (SIL 2)

and/or

avg

and PFH values are within the

avg

respectively the PFH values do not fulfill

avg

Dual RTD 4w sensor with activated sensor drift monitoring (only for TT 51 R SIL versions); in
preparation

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

Failure category SFF PFD

λSDλSUλ

DDλDU

[FIT] [%] 1 year 2 years 5 years 10 years

0

0

0

0

avg

at T

= PFH SIL AC

proof

16

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

Single TC sensor

SAFETY-RELATED CHARACTERISTICS 7

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

The boxes marked in light grey in the following tables mean that the calculated PFD
PFH values are within the allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 but do not

fulfill the requirement to not claim more than 35% of this range, i.e. to be better than or equal to

3.50E-03 respectively 3.50E-07 1/h.
The boxes marked in medium grey mean that the calculated PFD

allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 and do fulfill the requirement to not
claim more than 35% of this range, i.e. to be better than or equal to 3.50E-03 respectively

3.50E-07 1/h.
The boxes marked in dark grey indicate that the PFD

the requirements for SIL 2 of table 2 / 3 of IEC 61508-1.

Failure category SFF PFD

λSDλSUλ

DD

λ

DU

avg

at T

= PFH SIL AC

proof

[FIT] [%] 1 year 2 years 5 years 10 years

0 146 483 45 93.3 2.26E-04 4.22E-04 1.01E-03 1.98E-03 4.50E-08 SIL 2

0 146 2288 140 94.5 7.325E-04 1.33E-03 3.15E-03 6.19E-03 1.40E-07 (SIL 2)

0 146 1288 140 91.1 6.99E-04 1.31E-03 3.13E-03 6.16E-03 1.40E-07 (SIL 2)

0 146 18388 2040 90.0 1.02E-02 1.90E-02 4.56E-02 8.98E-02 2.04E-06 (SIL 1)

and/or

avg

and PFH values are within the

avg

respectively the PFH values do not fulfill

avg

Dual TC sensor

Failure category SFF PFD

λSDλSUλ

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

0 146 588 41 94.7 2.10E-04 3.88E-04 9.21E-04 1.81E-03 4.10E-08 SIL 2

0 146 4378 50 98.9 3.44E-04 5.61E-04 1.21E-03 2.30E-03 5.00E-08 SIL 2

0 146 2378 50 98.0 2.96E-04 5.13E-04 1.16E-03 2.25E-03 5.00E-08 (SIL 2)

0 146 40188 240 99.4 2.11E-03 3.15E-03 6.27E-03 1.15E-02 2.40E-07 (SIL 1)

DD

at T

avg

λ

DU

= PFH SIL AC

proof

[FIT] [%] 1 year 2 years 5 years 10 years

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

17

7 SAFETY-RELATED CHARACTERISTICS

Single TC + Single RTD 2/3w

TT 51 SERIES

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

The boxes marked in light grey in the following tables mean that the calculated PFD
PFH values are within the allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 but do not

fulfill the requirement to not claim more than 35% of this range, i.e. to be better than or equal to

3.50E-03 respectively 3.50E-07 1/h.
The boxes marked in medium grey mean that the calculated PFD

allowed range for SIL 2 according to table 2 / 3 of IEC 61508-1 and do fulfill the requirement to not
claim more than 35% of this range, i.e. to be better than or equal to 3.50E-03 respectively

3.50E-07 1/h.
The boxes marked in dark grey indicate that the PFD

the requirements for SIL 2 of table 2 / 3 of IEC 61508-1.

Failure category SFF PFD

λSDλSUλ

DD

λ

DU

avg

at T

= PFH SIL AC

proof

[FIT] [%] 1 year 2 years 5 years 10 years

0 146 535 41 94.3 2.09E-04 3.86E-04 9.20E-04 1.81E-03 4.10E-08 SIL 2

0 146 3334 54 98.4 3.38E-04 5.72E-04 1.27E-03 2.45E-03 5.40E-08 SIL 2

0 146 1853 50 97.5 2.83E-04 5.00E-04 1.15E-04 2.23E-03 5.00E-08 SIL 2

0 146 29693 235 99.2 1.83E-03 2.85E-03 5.93E-03 1.10E-02 2.35E-07 (SIL 1)

and/or

avg

and PFH values are within the

avg

respectively the PFH values do not fulfill

avg

Single TC + Single RTD 4w

Failure category SFF PFD

Close
coupled low
stress

Close
coupled high
stress

Extension
wires low
stress

Extension
wires high
stress

λSDλSUλ

0 146 538 40 94.4 2.04E-04 3.77E-04 8.98E-04 1.76E-03 4.00E-08 SIL 2

0 146 3381 48 98.6 3.10E-04 5.18E-04 1.14E-03 2.18E-03 4.80E-08 SIL 2

0 146 1883 45 97.8 2.60E-04 4.55E-04 1.04E-03 2.02E-03 4.50E-08 SIL 2

0 146 30283 145 99.5 1.42E-03 2.05E-03 3.93E-03 7.08E-03 1.45E-07 (SIL 2)

DD

[FIT] [%] 1 year 2 years 5 years 10 years

at T

avg

λ

DU

= PFH SIL AC

proof

18

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

8.1 Declaration of conformity for Functional Safety (SIL)

APPENDIX 8

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

19

8 APPENDIX

8.2 exida / FMEDA management summary

TT 51 SERIES

20

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

APPENDIX 8

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

21

8 APPENDIX

TT 51 SERIES

22

www.krohne.com 09/2010 - 4000869801 - AD TT 51 SIL R01 en

TT 51 SERIES

8.3 Return / maintenance form

Customer details

Company:

Address:

Contact person:

Telephone:

Fax:

Email:

Device details

Product ID:

Serial no.:

Reason for the return / maintenance:

APPENDIX 8

Have you performed the proof test on the product? Yes No

If yes please fill out the table with following check points.

Before you begin, configure the TT 51 for RTD measurement 3-wire connection on both

channels. Select measuring range 0...+100°C, output – dedicated dynamic variable Ch1 select

sensor break and sensor short circuit to downscale, therefore to upscale value.

Select even sensor backup.

Proof test check points

Step Description Yes No Comments

1 Connect the selected sensors on Ch 1 and Ch2 and

2 Simulate sensor break for each single wire (on

3 Simulate sensor short between 1...5 terminals and

4 Simulate sensor break or sensor short (one error at a

check for the output range value is within measuring
range.

terminals 1...5) and check the output value (≥21 mA) /
(≤3.6 mA).

check the output value (≥21 mA) / (≤3.6 mA).

time) for sensor connected on Ch 1. Check if the
transmitter will switch automatically over to
measuring on Ch 2.

www.krohne.com09/2010 - 4000869801 - AD TT 51 SIL R01 en

23

KROHNE product overview

• Electromagnetic flowmeters

• Variable area flowmeters

• Ultrasonic flowmeters

• Mass flowmeters

• Vortex flowmeters

• Flow controllers

• Level meters

• Temperature meters

• Pressure meters

• Analysis products

• Measuring systems for the oil and gas industry

• Measuring systems for sea-going tankers

Head Office KROHNE Messtechnik GmbH
Ludwig-Krohne-Str. 5
D-47058 Duisburg (Germany)
Tel.:+49 (0)203 301 0
Fax:+49 (0)203 301 10389
info@krohne.de

© KROHNE 09/2010 - 4000869801 - AD TT 51 SIL R01 en - Subject to change without notice.

The current list of all KROHNE contacts and addresses can be found at:
www.krohne.com