KROHNE TT51 User Manual

TT 51 SERIES	Supplementary instructions

2-wire transmitter for temperature, resistance or voltage measurement

Safety manual SIL

© KROHNE 09/2010 - 4000869801 - AD TT 51 SIL R01 en

	CONTENTS
		TT 51 SERIES

1	Introduction		3
	1.1	Field of application ...........................................................................................................	3
	1.2	User benefits ....................................................................................................................	3
	1.3	Manufacturer’s safety instructions..................................................................................	3
	1.4	Relevant standards / Literature.......................................................................................	4
2	Terms and definitions		5
3	Description of the subsystem		6
	3.1	Functional principle..........................................................................................................	6
4	Safety function		7
	4.1	Description of the failure categories ...............................................................................	7
	4.2	Specification of the safety function ..................................................................................	7
	4.3	Redundancy ......................................................................................................................	8
	4.3.1 Sensor drift .............................................................................................................................		8
	4.3.2 Sensor backup ........................................................................................................................		9
5	Project planning		10
	5.1	Applicable device documentation ..................................................................................	10
	5.2	Project planning, behaviour during operation and malfunction....................................	10
	5.2.1 SIL data .................................................................................................................................		10
6	Periodic checks / Proof tests		11
	6.1	Periodic checks ..............................................................................................................	11
	6.2	Proof tests ......................................................................................................................	11
7	Safety-related characteristics		13
	7.1	Assumptions ...................................................................................................................	13
	7.2	Specific safety-related characteristics ..........................................................................	14
8	Appendix		19
	8.1	Declaration of conformity for Functional Safety (SIL) ...................................................	19
	8.2	exida / FMEDA management summary .........................................................................	20
	8.3	Return / maintenance form............................................................................................	23

2

www.krohne.com

09/2010 - 4000869801 - AD TT 51 SIL R01 en

		INTRODUCTION 1
	TT 51 SERIES

1.1 Field of application

The TT 51 C is a universal, isolated, dual-input temperature transmitter for RTD and thermocouple sensors. It’s primarily intended to be mounted in a DIN-B housing.

TT 51 R is the rail mounted version of the TT 51 series.

TT 51 C Ex and TT 51 R Ex are the intrinsically safe versions of the TT 51 series. An S is added for the SIL versions, e.g. TT 51 C ExS.

The TT 51 temperature transmitter utilizes a modular design in hardware as well as in software to ensure the quality and reliability of the transmitter signal output to meet the special safety requirements according to IEC 61508-2.

1.2User benefits

•This intelligent HART® temperature transmitter is designed to perform temperature measurements of solids, fluids and gases up to SIL2 according to special safety requirements of IEC 61508-2 (see exida FMEDA report KROHNE 09/12-72 R011).

•Remote configuration with process control system, PC or HART® hand terminal is not possible in combination with SIL activation to prevent unintended changes, only read-out of parameters from the unit is possible via HART®. To change settings or deactivate the SIL function the software ConSoft and USB-kit ICON must be used.

•Continuous measurement

•Easy commissioning

SIL2 requirements are based on the standards current at the time of certification.

The TT 51 S certification involves the HW assessment of the TT 51 S products with an FMEDA.

1.3 Manufacturer’s safety instructions

The measuring device has been built and tested in accordance with the current state of the art, and complies with the relevant safety standards.

However, dangers may arise from improper use or use for other than intended purpose.

For this reason, observe all the safety instructions in this document carefully.

INFORMATION!

This "Safety manual" is a complement to the regular handbook.

In addition to the safety rules in this documentation, national and regional safety rules and industrial safety regulations must also be observed.

09/2010 - 4000869801 - AD TT 51 SIL R01 en

www.krohne.com

3

1 INTRODUCTION
				TT 51 SERIES
1.4 Relevant standards / Literature
•	[N1]	• IEC 61508 part 2 - Functional safety of electrical/electronic/programmable electronic
		safety-related systems;
		• Part 2: Requirements for electrical/electronic/programmable electronic safety-
		related systems
•	[N2]	• IEC 61326-3-1:2008 - Immunity requirements for safety-related systems and for
		equipment intended to perform safety-related functions (functional safety) - General
		industrial applications
•	[N3]	• Namur NE 21 - Electromagnetic compatibility of industrial process and laboratory
		control equipment
•	[N4]	• Namur NE 32 - Data retention in the event of a power failure in field and control
		instruments with microprocessors
•	[N5]	• Namur NE 43 - Standardization of the signal level for the failure information of digital
		transmitters
•	[N6]	• Namur NE 53 - Software of field devices and signal processing devices with digital
		electronics
•	[N7]	• Namur NE 79 - Microprocessor equipped devices for safety instrumented systems
•	[N8]	• Namur NE 89 - Temperature transmitter with digital signal processing
•	[N9]	• Namur NE 107 - Self-monitoring and diagnosis of field devices

•[N10] • EN 60079-0:2006 - Electrical apparatus for explosive gas atmospheres;

•Part 0: General requirements

•[N11] • EN 60079-11:2007 - Explosive atmospheres;

•Equipment protection by intrinsic safety "i"

•[N12] • EN 60079-15:2005 - Electrical apparatus for explosive gas atmospheres

•Part 15: Construction, test and marking of type of protection "n" electrical apparatus

•[N13] • EN 60079-26:2007 - Explosive atmospheres

•Part 26: Equipment with equipment protection level (EPL) Ga

4

www.krohne.com

09/2010 - 4000869801 - AD TT 51 SIL R01 en

		TERMS AND DEFINITIONS 2
	TT 51 SERIES

Used abbreviations

DCD	Diagnostic Coverage of dangerous failures.
	Diagnostic coverage is the ratio of the detected failure rate to the total failure rate.
FIT	Failure In Time (1x10-9 failures per hour)
FMEA	Failure Modes Effects Analysis is a structured qualitative analysis of a system,
	subsystem, process, design or function to identify potential failure modes, their
	causes and their effects on (system) operation.
FMEDA	Failure Modes Effects and Diagnostic Analysis adds a qualitative failure data for all
	components being analyzed and ability of the system to detect internal failures via
	automatic on-line diagnostics parts to FMEA.
HFT	Hardware Fault Tolerance
Low demand mode	Mode, where the frequency of demand for operation made on a safety-related
	system is not greater than one per year and not greater than twice the proof-test
	frequency.
High demand	Mode, where the frequency of demands for operation made on a safety-related
mode	system is greater than one per year and greater than twice the proof-check
	frequency.
MTBF	Mean Time Between Failure is average time between failure occurrences.
MTTR	Mean Time To Restoration is average time needed to restore normal operation after
	a failure has occurred.
PFDAVG	Probability of Failure on Demand is the average probability of a system to fail to
	perform its design function on demand.
PFH	Probability of Failure per Hour is the probability of a system to have a dangerous
	failure occur per hour.
SFF	Safe Failure Fraction summarizes the fraction of failure, which lead to a safe state
	and the fraction of failures which will be detected by diagnostic measures and lead
	to a defined safety action.
SIF	Safety Instrumented Function
SIL	Safety Integrity Level
Type A component	"Non-complex" subsystem (all failure modes are well defined);
	for details see 7.4.3.1.2 of IEC 61508-2.
Type B component	"Complex" subsystem (at least one failure mode are not well defined);
	for details see 7.4.3.1.3 of IEC 61508-2.
T[Proof]	Proof Test Interval

09/2010 - 4000869801 - AD TT 51 SIL R01 en

www.krohne.com

5

3 DESCRIPTION OF THE SUBSYSTEM
	TT 51 SERIES

3.1 Functional principle

The TT 51 series supports up to two sensor channels with general input circuits that may be configured for RTD and/or thermocouple temperature sensors.

All safety related calculations are based on these connections.

Functional principle of the TT 51 series is based on the analog to digital and back to analog signal conditioning. The temperature sensors used are either Resistance Temperature Device(s) (RTD) or thermocouple(s) (T/C). The RTD has a temperature dependent, non-linear, variable resistance while the T/C generates a low level, highly non-linear, EMF (voltage) that depends on the temperature difference between opposite ends of the T/C wire pair. Hence the connection end of the T/C (cold junction) constitutes a temperature reference or base value that has to be measured in order to determine the temperature at the critical spot (hot junction). This action is referred to as cold junction compensation (CJC). One or two sensors of the same or different types may be connected.

The low level analogue signal from temperature sensors is amplified and filtered before converting it to a digital signal. The digital signal is less prone to electromagnetic interference. Digital signal processing like sensor linearization, calculation, temperature drift compensation etc. is controlled by processors, isolated and converted back to analogue 4...20 mA output signal.

The TT 51 are smart temperature transmitter which improves predicting problems within the industrial safety instrumented systems – SIS, reducing the manual testing.

The TT 51 is a modular and configurable system with the ability to pre-configure inputs for measuring sensor(s) and outputs to fault conditions. Configuration of the transmitter is protected by password.

6

www.krohne.com

09/2010 - 4000869801 - AD TT 51 SIL R01 en

		SAFETY FUNCTION 4
	TT 51 SERIES

4.1 Description of the failure categories

The following definitions of the failure are used during diagnostic calculations:

Fail-Safe State	The fail-safe state is defined as the output reaching the user defined
	threshold value.
Fail - Safe	A safe failure (S) is defined as a failure that causes the
	module/(sub)system to go to the defined fail-safe state without a demand
	from the process. Safe failures are divided into safe detected (SD) and safe
	undetected (SU) failures.
Fail Dangerous	A dangerous failure is defined as a failure of the temperature transmitter
	TT 51 C not responding to a demand from the process, i.e. being unable to
	go to the defined fail-safe state, and the output current deviates by more
	than 2% of measuring span of the actual temperature measurement
	value.
Fail Dangerous Undetected	Failure that is dangerous and that is not being diagnosed by internal
	diagnostics.
Fail Dangerous Detected	Failure that is dangerous but is detected by internal diagnostics and
	causes the output signal to go to the predefined alarm state (These
	failures may be converted to the selected fail-safe state).
Fail High	Failure that causes the output signal to go to the maximum output current
	(> 21 mA) acc. to NAMUR NE 43.
Fail Low	Failure that causes the output signal to go to the minimum output current
	(< 3.6 mA) acc. to NAMUR NE 43.
No Effect	Failure of a component that is part of the safety function but is neither a
	safe failure nor a dangerous failure and has no effect on the safety
	function. For the calculation of the SFF it is treated like a safe undetected
	failure.
Not part	Failures of a component which is not part of the safety function but part of
	the circuit diagram.

4.2 Specification of the safety function

The safety function of the TT 51 transmitter is the quality and reliability of the transmitter signal output, i.e. measurement performance, error detection and error indication in the signalprocessing path of the transmitter.

The valid range of the output signal is between 3.8 mA and 20.5 acc. to NE 43.

The failure information is defined by two selectable alarm levels: Fail Low (Downscale ≤ 3.6 mA) and Fail High (Upscale ≥ 21 mA).

The configuration of the transmitter is protected by the password in the software ConSoft. The password is then stored in the transmitter.

The TT 51 checks sensor errors (sensor break or sensor short) for both channels if it is configured in this manner.

A software SIL-switch is available in the transmitter, handled by the PC-configuration software

ConSoft. It is also password-protected. It can also be changed by HART® communication, still password-protected.

09/2010 - 4000869801 - AD TT 51 SIL R01 en

www.krohne.com

7

4 SAFETY FUNCTION
					TT 51 SERIES
	Function		Active/Not Active	Output	Alarm level 1
	Sensor break		Active	4...20 mA / 20...4 mA	≤3.6 mA / ≥21.0 mA
	Sensor short		Active	4...20 mA / 20...4 mA	≤3.6 mA / ≥21.0 mA
	Low isolation		Not active	-	-
	System error 2		Active	4...20 mA / 20...4 mA	≤3.6 mA / ≥21.0 mA
	Sensor drift (dual		Active/Not Active	4...20 mA / 20...4 mA	≤3.6 mA / ≥21.0 mA
	sensor needed) 3		selectable

1 For some system failures the alarm output will toggle between a high alarm level (≥21.0 mA) and a low alarm level (≤3.6 mA). For some HW failures the alarm level will be high even though a low level is configured and for some other HW failures the alarm will go low even though a high level has been selected.

To prevent a safety system from restart due to the toggling output the system should be setup so that once an alarm signal has occurred from the safety loop the system shouldn’t go back to normal run automatically but only manual ("Restart Interlock").

2 System errors = failures in the software or hardware detected by the diagnostics in the transmitter.

3 The sensor drift function is valid from SW-versions; IPM-SW 01.01.03 and OPM-SW 01.01.04 and hardware versions 5 and later, implemented in transmitters with serial number 1006.xxxxxx or later. Serial number 1006.xxxxxx means manufactured week 6 in 2010 and this information is found on the nameplate or it can be read from the transmitter via ConSoft. The software and hardware versions can be read from the ConSoft software, tab "Device Information".

4.3 Redundancy

For the following configurations:

•2 x 2w RTD sensors

•2 x 3w RTD sensors

•2 x Thermocouple sensors

•1x Thermocouple sensor and 1 x 3w RTD sensor

•1x Thermocouple sensor and 1 x 4w RTD sensor (only valid for TT 51 R)

are either "Sensor drift monitoring" function or "Sensor backup" function selectable at a time.

4.3.1 Sensor drift

If the function "Sensor drift" monitoring is selected, a difference between the sensors of more or equal to the value stated in the configuration will cause the output to go either "Downscale" or "Upscale" depending on the user configuration. Maximum temperature difference has to be specified in °C via ConSoft.

8

www.krohne.com

09/2010 - 4000869801 - AD TT 51 SIL R01 en