Abb Tth300 series User manual

—

ABB MEASUREMENT & ANALYTICS | SIL-SAFETY MANUAL

TTH300, TTF300

Temperature transmitter

Additional instructions for

IEC 61508 compliant devices

Measurement made easy

—

TTH300

TTF300 Introduction

TTH300, TTF300 sensor-head and field mounting for

standard and high temperature measurement.

This document must be considered in conjunction

with related operating instructions.

Additional information

Additional documentation on temperature

transmitter is available for download free of charge

at www.abb.com/temperature.

Alternatively simply scan this code:

TTH300 TTF300

2 TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

Table of contents

1Application area..........................................................................................3

2Purpose ........................................................................................................3

3Terms and definitions............................................................................... 4

4Associated documents ............................................................................. 5

5Safety function .......................................................................................... 6

Alarm behavior and alarm current output .................................................................6

Overall safety accuracy.................................................................................................. 6

Diagnostic test interval................................................................................................. 6

Type classification .........................................................................................................6

Useful Lifetime................................................................................................................ 7

Systematic Capability.................................................................................................... 7

Safe Failure Fraction SFF .............................................................................................. 7

Average probability of dangerous failure on demand PFDAVG............................. 7

6Constraints................................................................................................. 8

7Periodic proof test and maintenance ..................................................... 9

Proof Test ........................................................................................................................ 9

8Installation, commissioning & configuration....................................... 10

Activating / Deactivating write protection ............................................................. 10

Check write protection................................................................................................ 10

Sensor redundancy with drift detection.................................................................. 10

Check sensor redundancy with drift detection ...................................................... 10

9Identification ............................................................................................11

10Example PFDAVG Calculation..................................................................12

11Failure modes, failure rates and diagnostics........................................12

Failure Rates.................................................................................................................. 12

Assumptions ................................................................................................................. 13

Diagnostics.................................................................................................................... 13

12Notes on Cyber security.......................................................................... 14

13Release history......................................................................................... 14

14Appendix....................................................................................................15

Exida FMEDA Report.................................................................................................... 15

Change from one to two columns

Change from tw o to one column

TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E 3

1Application area

The TTH300 and TTF300-*H Series temperature transmitter are 2-wire 4 to 20 mA devices for the temperature monitoring of solids,

fluids and gases of all types in containers and piping.

Combined with a single or dual channel temperature sensor assembly, the temperature transmitters become a temperature sensor

assembly.

The temperature sensors that can be connected to the temperature transmitters TT*300-*H for safety applications are:

• 2-, 3- and 4-wire RTD

•Thermocouple

The order variant ‘SIL2 - Declaration of Conformity’ meets the special SIL safety engineering requirements for the integration in

Safety Instrumented Systems in compliance to IEC 61508 Edition 2 part 1 to part 7.

The area of safety application is limited to:

• Up to SIL 2 as single transmitter installation

• Up to SIL 3 as redundant transmitter installation

• Mode of safety operation: Low Demand Mode

• Hardware Fault Tolerance: HFT 0 (as single transmitter installation 1oo1)

• Architectural Constraints: SIL 2 (based on Type B, HFT 0 and SFF â90 %)

• Systematic Capability: SC 3 according IEC 61508

The safety data, constraints, assumptions, installation / maintenance instructions and operating limits defined in the related

documents needs to be considered.

In case of questions and detected safety critical device failures please contact the ABB Customer service center

(Keywords: Product Type Designator, SIL).

Customer service center

Tel: +49 180 5 222 580

Email: [email protected]bb.com

2Purpose

According IEC 61508-2 Annex D ‘Safety manual for compliant items’ the purpose of this safety manual is to document the information

which is required to enable the integration of this item into a safety-related system in compliance with the requirements of the

IEC 61508 standard.

4 TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

3Terms and definitions

IEC 61508 International standard ‘Functional safety of electrical/electronic/programmable electronic safety-related systems’.

Safety integrityProbability of a safety system satisfactorily performing the specified safety functions under all the stated conditions.

SIL

Safety integrity level

Discrete safety integrity level corresponding to a range of safety integrity values, where level 4 has the highest and level 1 has

the lowest.

Functional safety Part of the overall safety relating to the controlled system that depends on the correct functioning of the safety system and

other risk reduction measures.

Safety function Function to be implemented by a safety system or other risk reduction measures, that is intended to achieve or maintain a

safe state for the controlled system, in respect of a specific hazardous event.

Hardware fault tolerance

HFT n

Ability to continue to perform a required function in the presence of n hardware faults or errors.

Architectural constraints The highest safety integrity level that can be claimed limited by the hardware constraints (SFF, HFT).

Systematic safety integrity SC Measure on a scale of SC 1 to SC 4 on the systematic safety integrity of an element when the element is applied in accordance

with the instructions specified in the safety manual for the element.

Low demand mode The safety function is only performed on demand with a demand interval

a) no greater than one per year and b) greater than twice the proof test interval.

Dangerous failure Failure in implementing the safety function that prevents a safety function from operating as expected.

Safe failure Failure that results in the spurious operation of the safety function.

No effect failure Failure without direct effect on the safety function.

FIT Failure in Time (1x10-9 failures per hour) named θLambda

Failure rate Conditional probability of failure per unit of time, usually declared as FIT

θDD – detected dangerous failures θDU – detected dangerous failures

θSD – detected safe failures θSU – intrinsic safe failures

PFDavg Average probability of dangerous failure on demand.

Safe failure fraction

SFF

Ratio of safe plus dangerous detected failures to all failures.

SFF = (θSD+θSU+θDD) / (θSD+θSU+θDD+θDU)

Proof testPeriodic test performed to detect dangerous hidden failures and weaknesses in the mechanical integrity within the final

application environment.

Proof test interval Execution interval of the period proof test.

Proof test coverage PTC Fraction of detected dangerous failures by the periodic proof test.

Diagnostic coverage

Fraction of dangerous failures detected by on-line diagnostic tests.

DC = θDD / (θDU+θDD)

Diagnostic test interval Interval between on-line tests to detect faults.

Common cause failure Failure causing concurrent failures of two or more separate channels in a multiple channel system, leading to system failure.

Systematic failure Failure, related in a deterministic way to a certain cause, which can only be eliminated by design modification, manufacturing

process, operational procedures, documentation or other relevant factors.

Random hardware failure Failure, which results from degradation mechanisms in the hardware. For equipment comprising many electrical components

those failures occur at predictable rates but at unpredictable random times.

Type A element

Type B element

An element can be regarded as type A if, the failure modes of all constituent components are well defined; and the behavior of

the element under fault conditions can be completely determined; and there is sufficient dependable failure data to show that

the claimed rates of failure for detected and undetected dangerous failures are met. Otherwise the element shall be regarded

as type B.

MooN architecture Voting redundancy architecture. e. g.

1oo2: 1 out of 2 redundant channel architecture

2oo3: 2 out of 3 redundant channel architecture

Useful lifetime Beyond the useful lifetime the probability of failure significantly increases with time and the probabilistic failure rate

estimation is meaningless.

TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E 5

Mission Time Final plant operation time for the safety system. Used for the PFDAVG and Proof Test Interval calculation.

FMEDA Failure Modes, Effects and Diagnostics Analysis.

MTBF Mean Time Between Failure.

MTBF = (1 / (θtotal + θAU + θno effect + θno part)) + MTTR.

MTTR Mean Time to Repair.

MTTF Mean Time to Failure.

DTM Device Type Manager.

EDDL Electronic Device Description Language.

FDI Field Device Integration Technology based on EDDL.

DCS Distributed Control System.

HMI Human Machine Interface.

Multidrop HART Bus Communication Mode.

Closed coupled Short connecting lead to the temperature sensor with less than 1 m (39.37 in) in length and connecting lead laid with

mechanical protection.

Extension wire Long connecting lead to the temperature sensor with more than 1 m (39.37 in) in length or connecting lead laid without

mechanical protection.

Low stress Low vibration environment or the use of a cushioned sensor. The operation is below 67 % maximum rating according to

specification.

High stress High vibration environment. The operation is above 67 % maximum rating according to specification.

NAMUR NE43 Standardization of the signal level for the breakdown information of digital 4 to 20 mA transmitter.

RTD Resistance Temperature Detector.

TC Thermocouple sensor.

SIS Safety Instrumented System (e.g., sensors, logic solver, actuators).

LRV Lower range value (measuring range lower limit).

URV Upper range value (measuring range upper limit).

Sensor redundancy with drift

detection

Assembly with two sensors and one electronics which allows to detect sensor drift failures.

4Associated documents

The following corresponding product documents must be taken into consideration in addition to this SIL safety manual:

Product designation Document name Document type

TTH300, TTF300 SM/TTX300SIL-EN This Safety Manual

TTH300 DS/TTH300 Data Sheet

TTH300 OI/TTH300 Operating Instruction

TTH300 CI/TTH300 Commissioning Instruction

TTF300 DS/TTF300 Data Sheet

TTF300 OI/TTF300 Operating Instruction

TTF300 CI/TTF300 Commissioning Instruction

The documents can be downloaded in the available languages from the ABB website at ‘www.abb.com/temperature’.

In addition, the user of this device is responsible for ensuring compliance with applicable legal regulations and standards.

6 TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

5Safety function

The TTH300-*H, and TTF300-*H transmitter are configurable single or dual sensor channel (RTD 2/3/4 wire, TC) digital devices

generating a temperature related analog 4 to 20 mA output signal. The safety function refers strictly to the analog output signal.

The final device assembly consists of the device electronics TTH300-*H, or TTF300-*H, the attached temperature sensor, the housing

with optional connected LCD indicator and the related process connections.

Alarm behavior and alarm current output

When a critical error is detected, an alarm current according NAMUR NE 43 is generated which must be evaluated and processed by

the safety logic solver.

Detected failures by internal diagnostics generates the configured alarm current.

(See Appendix FMEDA Report: Fail detected by internal diagnostics)

There are two selectable modes for the alarm current:

• HIGH ALARM (high alarm, maximum alarm current); this is the factory setting

• LOW ALARM (low alarm, minimum alarm current)

The high alarm current can be configured in a range from 20.0 to 23.6 mA.

The factory setting is 22 mA.

The low alarm current can be configured in a range from 3.5 to 4.0 mA.

The factory setting is 3.6 mA.

In the following cases and by some electrical part failures, an error is forced independently of the configured alarm current to the low

alarm current range:

• Detected runtime errors (e.g., by watchdog)

• Detected memory errors (e.g., non-volatile data, RAM, ROM)

(See Appendix FMEDA Report: Fail low detected by safety logic solver)

Failures in some electrical parts are forcing independently of the configured alarm current the high alarm current range.

(See FMEDA Report: Fail high detected by safety logic solver)

The safety-related system (safety logic solver) must be able to detect both, the high and the low alarm state.

After switching on or restarting the transmitter electronics unit, the minimum alarm time is 10 to 15 seconds.

Overall safety accuracy

The value defined for the overall accuracy of the safety function for this device is ± 2 % of the measuring range.

The basic accuracy depends on the sensor model and is specified in the corresponding data sheets.

Diagnostic test interval

All safety-relevant errors are detected within a diagnostic test interval of 2 minutes.

Type classification

This device is declared as Type B complex element according IEC 61508.

TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E 7

Useful Lifetime

According IEC 61508-2, a useful lifetime, based on experience, should be assumed.

The useful lifetime is highly dependent on the component itself and its operating conditions – temperature in particular.

Beyond the useful lifetime, the result of the probabilistic calculation method is meaningless, as the probability of failure significantly

increases with time. The assumption of a constant failure rate is based on the bathtub curve, which shows the typical behavior for

electronic components. Therefore, it is obvious that the PFDAVG calculation is only valid for components which have this constant

domain and that the validity of the calculation is limited to the useful lifetime of each component.

It is assumed that early failures are detected to a huge percentage during the installation period and therefore the assumption of a

constant failure rate during the useful lifetime is valid.

The useful lifetime by the worst components contributing to θDU (dangerous undetected failures) for the TTH300-*H, and TTF300-*H

transmitter electronics at 40 °C average temperature conditions is assumed to approximately 500.000 hours.

When plant experience indicates a shorter useful lifetime, the number based on plant experience should be used.

Systematic Capability

This device has been qualified according the IEC 61508:2010 and fulfills the Part 1 - 3 requirements for a Systematic Safety Integrity of

SC 3 (SIL 3 capable).

The overall functional safety management, development and change process has been assessed by TÜV Nord according

IEC 61508:2000 with results reported within TÜV Report SLA-187/2009TTR-01.

The software modifications have been qualified according IEC 61508:2010.

The FMEDA has been performed by Exida Germany according IEC 61508:2010 with results reported within FMEDA Report 06/05-29

R012 Version V4. The summarized results are attached within Appendix ‘Exida FMEDA Report’.

Note

The systematic safety integrity indicated by the systematic capability can be achieved only when the instructions and constraints are

observed. Where violations occur, the claim for systematic capability is partially or wholly invalid.

Safe Failure Fraction SFF

The IEC 61508 route 1H approach involves calculating the Safe Failure Fraction for the entire element. Related values are listed within

‘Appendix Exida FMEDA Report’.

The number listed assumes that the temperature sensing device and the transmitter together are an element according to

IEC 61508:2010. However, it would also be possible to consider both parts as separate elements where each element must fulfill the

related SFF.

Average probability of dangerous failure on demand PFDAVG

For SIL2 applications, the PFDAVG value of the overall SIS needs to be < 1.00E-02.

Assuming 35 % of these overall budget for the sensor assembly part leads to < 3.5E-03.

The SIS PFDAVG calculation must be done based on certain important variables including:

(1) Failure Rates, Failure Modes and Diagnostics

(2) Redundancy Architecture incl. Common Cause Failures

(3) Proof Test Coverage, Proof Test Interval, Proof Test Duration

(4) Mission Time

(5) Operational/Maintenance Capability

(6) Mean Time to Repair

As only (1) is under control by the device manufacturer it is the responsibility of the Safety Instrumented Function designer to

perform the PFDAVG calculations for the final assembled SIS in combination with PFDAVG values of other devices of a Safety

Instrumented Function (SIF) in order to determine suitability for the demanded Safety Integrity Level (SIL).

The chapter ‘Example PFDAVG calculation’ contains related PFDAVG values for a single channel 1oo1 architecture on selected proof

test inspection intervals as simplified calculation.

8 TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

6Constraints

The following constraints on the use of the compliant item needs to be considered:

- The entire valid range for the output signal must be configured between min. 3.8 mA and max. 20.5 mA (factory setting).

- The HART communication master must comply with the safety requirements of the customer application.

- No HART Multidrop Mode (forces current out to 4mA)

- The low alarm must be configured to a value á3.6 mA.

- The high alarm must be configured to a value â21 mA.

- To ensure reliable functioning of the current output, the terminal voltage at the device must be between

11 to 42 V DC (non-explosion-proof design) and

11 to 30 V DC (explosion-proof design).

- The DCS power supply for the transmitter must be capable to provide the required voltage level even when the current output

is active with the configured high alarm.

- The head mounted electronics TTH300 with IP00 rating according IEC 60529 for the measurement loop must be protected

against environmental influences by an suitable installation housing.

The device does not meet safety requirements under the following conditions:

- During configuration and simulation

- With deactivated write protection

- During an inspection, proof test of the safety function

Before commissioning the device, check whether the device setup assures the system's safety function. Make also sure that the

correct device has been installed at the correct measuring point.

Whenever the device is updated (if the device's mounting position is changed or the setup is modified, for example), the safety

function of the device must be checked again.

Once the safety function has been checked, the device must be write-protected to prevent changes to the setup, since any change to

the measurement system or parameters may impact the safety function.

TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E 9

7Periodic proof test and maintenance

According IEC 61508-2 proof tests shall be undertaken to reveal dangerous faults which are undetected by automatic diagnostic

tests.

The End User is responsible for selecting the type and the intervals according the overall safety system demands.

The inspections must be conducted in a manner that enables users to verify the proper function of the safety equipment in

combination with all related components.

Proof Test

The below described proof test is a recommended variant which could be performed within the required periodical proof test interval

derived from the safety instrument system engineering demands (e. g., 1oo1, 1oo2 or 2oo3 architecture) and related PFDAVG

calculations.

Step Test Action (consecutive steps)

1 Bypass the safety DCS or take other appropriate action to avoid a false trip.

2 Restart, Power Down and Power Up the Device.

3 Deactivate the device write protection (refer to the relevant operating instructions).

4 Send a HART command, e. g., via EDD / DTM / FDI simulation functionality to the transmitter to go to the high alarm current output

and verify that the analog current reaches that value.

(Test for voltage problems such as a low loop power supply voltage or increased wiring resistance. This also tests for other possible

electrical part failures).

5 Send a HART command, e. g., via EDD/DTM/FDI simulation functionality to the transmitter to go to the low alarm current output and

verify that the analog current reaches that value.

(Test for possible quiescent current related failures)

6 Activate the device write protection. (Refer to the relevant operating instructions) and wait at least 20 seconds for the non-volatile

storage.

7 Restore the loop to full operation by Restart, Power Down and Power Up the Device.

8 Check the current output in performing a multi-point calibration (e. g., 5-point calibration) measurement of the temperature

transmitter covering the applicable temperature range. (Test for possible sensor and electronics failures)

9 Apply an adequate input signal (e.g., short circuit, wire break) to reach the pre-defined alarm level and verify that the safe state is

reached.

(Test for electronics failures that the analog current output corresponds to the provided input signal).

10 Remove the bypass from the safety DCS.

Table 1: ‘Suggested steps for proof test’

The test is assumed to detect 95 % of possible dangerous faults on the related temperature transmitter and sensor assembly.

An appropriate simulator (Pt100 simulator, reference voltage sources) can also be used to check the transmitter electronics

without sensor.

10 TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

8Installation, commissioning & configuration

The transmitter can be installed, configured, commissioned and maintained by personal with trained knowledge of temperature

transmitters in general and the specific knowledge of the applicable documents content referenced within this safety manual.

The device has been configured and tested according to customer order. However, it can be configured via DTM / FDI / EDD through

the HART interface. The parameters are described in the product instructions.

All configuration parameters that are changed may affect the safety function of the device. Therefore, the safety function shall be

checked again after modifications in accordance to the recommended proof tests.

Activating / Deactivating write protection

• TTH300/TTF300 via DTM/FDI/EDD or local LCD display ‘Write Protection’

• TTH300/TTF300 additionally via HW- write protection DIP switches

(for details see the operating instruction).

Check write protection

Write protection could be checked as follows:

• Check whether the lock icon is displayed on the LCD display if mounted.

• Modify a parameter (e.g., damping), save device data in device and check whether the message ‘Device is write-protected’ is

displayed.

Note

The software write protection does not lock again automatically. It remains unlocked until it is specifically activated.

Sensor redundancy with drift detection

The dual sensor redundancy with configured drift detection and alarm current output configuration (2 temperature sensors

connected to one electronics) is able to detect and alarm signaling on around 95 % on the normally undetected sensor failures.

The related failure rates on sensor assembly configurations are listed within the related tables of ‘Appendix Exida FMEDA Report’.

Configuration:

The sensor drift monitoring needs to be activated and configured via DTM or FDI as demanded for the sensor assembly.

The current output alarm behavior on the ‘maintenance required’ event from detected sensor drift failures needs to be configured as

demanded for the safety logic solver.

Refer to the related operating instructions on more details.

Check sensor redundancy with drift detection

It is mandatory demanded to verify the sensor drift failure detection functionality for the final application including logic solver

involvement.

Other manuals for TTH300 Series

This manual suits for next models

Table of contents

Popular Transmitter manuals by other brands

Seneca

Seneca K120RTD installation manual

Nautel

Nautel GV40 installation manual

HumanTechnik

HumanTechnik cm-light operating instructions

INOR

INOR APAQ C130 TC User instructions

Linear

Linear DXS-64 operating instructions

FeinTech

FeinTech ABT00102 instruction manual

Geo

Geo Web Pack quick start guide

Inovonics

Inovonics EchoStream EN1210W installation instructions

IKONNIK

IKONNIK KA-6 quick start guide

Rohde & Schwarz

Rohde & Schwarz SR8000 Series System manual

Audio Technica

Audio Technica UniPak ATW-T93 Installation and operation

NIVELCO

NIVELCO EasyTREK SCA-300 Series Programming manual

Honeywell

Honeywell 5816WMBR installation instructions

Kamstrup

Kamstrup READy MTU Installation and operation guide

Omega

Omega ZW Series user guide

Dejero

Dejero EnGo 3x manual

Rosemount

Rosemount 4600 Reference manual

RKI Instruments

RKI Instruments M2A 65-2643RK-05-04 Operator's manual

ABB TTH300 Series User manual

Popular Transmitter manuals by other brands