Inor Ipaq c520 Wiring diagram

HART

Temperature Transmitter

for up to SIL 2 applications

Safety manual SIL

Safety manual SILSafety manual SIL

Safety manual SIL

IPAQ C520/R520

IPAQ C520/R520IPAQ C520/R520

IPAQ C520/R520 Supplementary Instructions

Supplementary InstructionsSupplementary Instructions

Supplementary Instructions

CONTENTS

www.inor.com 02/2019 - 86B520S001 - AD 520 SIL R1.4 en

IPAQ C520/R520

1 Introduction 3

1.1 Field of application ........................................................................................................... 3

1.2 User benefits .................................................................................................................... 3

1.3 Manufacturer’s safety instructions.................................................................................. 3

1.4 Relevant standards / Literature....................................................................................... 4

2 Terms and definitions 5

3 Description of the subsystem 6

3.1 Functional principle.......................................................................................................... 6

4 Safety function 8

4.1 Description of the failure categories ............................................................................... 8

4.2 Specification of the safety function .................................................................................. 8

4.3 Redundancy ...................................................................................................................... 9

4.3.1 Sensor drift ........................................................................................................................... 10

4.3.2 Sensor backup ...................................................................................................................... 10

5 Project planning 11

5.1 Applicable device documentation .................................................................................. 11

5.2 Project planning, behaviour during operation and malfunction.................................... 11

5.2.1 SIL data ................................................................................................................................. 11

6 Periodic checks / Proof tests 12

6.1 Periodic checks .............................................................................................................. 12

6.2 Proof tests ...................................................................................................................... 12

7 Safety-related characteristics 14

7.1 Assumptions ................................................................................................................... 14

7.2 Specific safety-related characteristics .......................................................................... 15

8 Appendix 20

8.1 Declaration of conformity for Functional Safety (SIL) ................................................... 20

8.2 exida / FMEDA management summary ......................................................................... 21

8.3 Type Examination Certificate ......................................................................................... 24

8.4 Return / maintenance form............................................................................................ 26

9 Notes 27

INTRODUCTION

IPAQ C520/R520

www.inor.com02/2019 - 86B520S001 - AD 520 SIL R1.4 en

1.1 Field of application

The IPAQ C520 (hereafter referred to as C520) is a universal, isolated, dual-input temperature

transmitter for RTD and thermocouple sensors. It’s primarily intended to be mounted in a DIN-B

housing.

IPAQ R520 (hereafter referred to as R520) is the rail mounted version of the IPAQ C520.

IPAQ C520X and R520X are the intrinsically safe versions of the IPAQ C520 and R520.

An S is added for the SIL versions, e.g. C520S and C520XS.

The IPAQ C520/R520 temperature transmitter utilizes a modular design in hardware as well as

in software to ensure the quality and reliability of the transmitter signal output to meet the

special safety requirements according to IEC 61508:2010 part 1 to part 3 for use in SIL2

applications.

1.2 User benefits

•This intelligent HART

temperature transmitter is designed to perform temperature

measurements of solids, fluids and gases up to SIL2 according to special safety requirements

of IEC 61508:2010 (see Certificate No. SC0266-13 issued by RISE Research Institute of

Sweden AB (former SP Technical Research Institute of Sweden).

•Remote configuration with process control system, PC or HART

hand terminal is not

notnot

not

possible in combination with SIL activation to prevent unintended changes, only read-out of

parameters from the unit is possible via HART

. To change settings or deactivate the SIL

function the INOR software ConSoft and INOR USB-kit ICON must be used.

•Continuous measurement

•Easy commissioning

SIL 2 requirements are based on the standard IEC 61508:2010.

The C520S/C520XS/R520S/R520XS certification involves the HW assessment of the products with

an FMEDA plus a full assessment made by RISE Research Institute of Sweden AB.

1.3 Manufacturer’s safety instructions

The measuring device has been built and tested in accordance with the current state of the art,

and complies with the relevant safety standards

However, dangers may arise from improper use or use for other than intended purpose.

For this reason, observe all the safety instructions in this document and in the Handbook

carefully.

Hardware Production

order no.

IPM OPM ConSoft Handbook Safety Manual

≤9 ≤571029873 01.01.03xxx 01.01.04xxx ≥2.0.0.8 86B5200001 ≤2 86B520S001 ≤R1.2

≥11 ≥571030029 01.02.02xxx 01.02.02xxx

01.02.03xxx

≥2.0.0.8 86B5200001 ≥4 86B520S001 ≥R1.3

INTRODUCTION

IPAQ C520/R520

www.inor.com 02/2019 - 86B520S001 - AD 520 SIL R1.4 en

1.4 Relevant standards / Literature

This "Safety manual" is a complement to the regular Handbook(User Instructions) for IPAQ C520

and R520.

In addition to the safety rules in this documentation, national and regional safety rules and

industrial safety regulations must also be observed.

Standard Designation

IEC 61508:2010

all parts Functional safety of electrical/electronic/programmable electronic safety related systems –

Part 2: Requirements for electrical/electronic/programmable electronic safety-related

systems

IEC 61326-3-1:2008

EN 61326-3-1:2008 Immunity requirements for safety-related systems and for equipment intended to perform

safety-related functions (functional safety)- General industrial applications

Namur NE 21 Electromagnetic compatibility of industrial process and laboratory control equipment

Namur NE 32 Data retention in the event of a power failure in field and control instruments with

microprocessors

Namur NE 43 Standardization of the signal level for the failure information of digital transmitters

Namur NE 53 Software of field devices and signal processing devices with digital electronics

Namur NE 79 Microprocessor equipped devices for safety instrumented systems

Namur NE 89 Temperature transmitter with digital signal processing

Namur NE 107 Self-monitoring and diagnosis of field devices

EN 60079-0:2009

EN 60079-0:2012 Electrical apparatus for explosive gas atmospheres - Part 0: General requirements

EN 60079-11:2007

EN 60079-11:2012 Explosive atmospheres - Equipment protection by intrinsic safety "i"

EN 60079-26:2007

EN 60079-26:2015 Explosive atmospheres - Part 26: Equipment with equipment protection level (EPL) Ga

Table 1-1: Supported standards during the development of C520/R520

TERMS AND DEFINITIONS

IPAQ C520/R520

www.inor.com02/2019 - 86B520S001 - AD 520 SIL R1.4 en

Used abbreviations

Acronym Description

Diagnostic Coverage of dangerous failures.

Diagnostic coverage is the ratio of the detected failure rate to the total failure rate.

FIT Failure In Time (1x10

-9

failures per hour)

FMEA Failure Modes Effects Analysis is a structured qualitative analysis of a system,

subsystem, process, design or function to identify potential failure modes, their

causes and their effects on (system) operation.

FMEDA Failure Modes Effects and Diagnostic Analysis adds a qualitative failure data for all

components being analyzed and ability of the system to detect internal failures via

automatic on-line diagnostics parts to FMEA.

HFT Hardware Fault Tolerance

Low demand mode Mode, where the frequency of demand for operation made on a safety-related

system is not greater than one per year and not greater than twice the proof-test

frequency.

High demand

mode Mode, where the frequency of demands for operation made on a safety-related

system is greater than one per year and greater than twice the proof-check

frequency.

MTBF Mean Time Between Failure is average time between failure occurrences.

MTTR Mean Time To Restoration is average time needed to restore normal operation after

a failure has occurred.

PFD

AVG

Probability of Failure on Demand is the average probability of a system to fail to

perform its design function on demand.

PFH Probability of Failure per Hour is the probability of a system to have a dangerous

failure occur per hour.

SFF Safe Failure Fraction summarizes the fraction of failure, which lead to a safe state

and the fraction of failures which will be detected by diagnostic measures and lead

to a defined safety action.

SIF Safety Instrumented Function

SIL Safety Integrity Level

Type A component

/ Type A element "Non-complex" subsystem (all failure modes are well defined);

for details see 7.4.3.1.2 of IEC 61508-2:2000 / 7.4.4.1.2 of IEC 61508-2:2010.

Type B component

/ Type B element "Complex" subsystem (at least one failure mode are not well defined);

for details see 7.4.3.1.3 of IEC 61508:2000 / 7.4.4.1.3 of IEC 61508-2:2010.

T[Proof] Proof Test Interval

Table 2-1: Used abbreviations during the development of C520/R520

DESCRIPTION OF THE SUBSYSTEM

IPAQ C520/R520

www.inor.com 02/2019 - 86B520S001 - AD 520 SIL R1.4 en

3.1 Functional principle

The C520/R520 supports up to two sensor channels with general input circuits that may be

configured for RTD and/or thermocouple temperature sensors.

All safety related calculations are based on these connections.

Functional principle of the C520/R520 is based on the analog to digital and back to analog signal

conditioning. The temperature sensors used are either Resistance Temperature Device(s) (RTD)

or thermocouple(s) (T/C). The RTD has a temperature dependent, non-linear, variable resistance

while the T/C generates a low level, highly non-linear, EMF (voltage) that depends on the

temperature difference between opposite ends of the T/C wire pair. Hence the connection end of

the T/C (cold junction) constitutes a temperature reference or base value that has to be

measured in order to determine the temperature at the critical spot (hot junction). This action is

referred to as cold junction compensation (CJC). One or two sensors of the same or different

types may be connected.

The low level analogue signal from temperature sensors is amplified and filtered before

converting it to a digital signal. The digital signal is less prone to electromagnetic interference.

Digital signal processing like sensor linearization, calculation, temperature drift compensation

etc. is controlled by processors, isolated and converted back to analogue 4...20 mA output signal.

Figure 3-1: The functional principle of C520

1 Primary Master

2 HART modem

3 HART

4 Milliampere-meter Load ≥250Ω

5 Terminal 7 (- on C520)

6 4...20 mA

7 Terminal 6 (+ on C520)

8 C520 connected with sensor in the sensor head

9 Secondary master

10 DC power supply

11 Load ≥250Ω

DESCRIPTION OF THE SUBSYSTEM

IPAQ C520/R520

www.inor.com02/2019 - 86B520S001 - AD 520 SIL R1.4 en

The C520/R520 are smart temperature transmitter which improves predicting problems within

the industrial safety instrumented systems –SIS, reducing the manual testing.

The C520/R520 is a modular and configurable system with the ability to pre-configure inputs for

measuring sensor(s) and outputs to fault conditions. Configuration of the transmitter is

protected by password.

SAFETY FUNCTION

IPAQ C520/R520

www.inor.com 02/2019 - 86B520S001 - AD 520 SIL R1.4 en

4.1 Description of the failure categories

The following definitions of the failure are used during diagnostic calculations:

4.2 Specification of the safety function

The safety function of the C520/R520 transmitter is the quality and reliability of the transmitter

signal output, i.e. measurement performance, error detection and error indication in the signal-

processing path of the transmitter.

The valid range of the output signal is between 3.8 mA and 20.5 acc. to NE 43.

The failure information is defined by two selectable alarm levels: Fail Low (Downscale ≤3.6 mA)

and Fail High (Upscale ≥21 mA).

The configuration of the transmitter is protected by a password set via the software ConSoft. The

password is stored in the transmitter.

The C520S/C520XS/R520S/R520XS checks sensor errors (sensor break or sensor short) for both

channels if it is configured in this manner.

State definition Description

Fail-Safe State The fail-safe state is defined as the output reaching the user defined

threshold value.

Fail - Safe A safe failure (S) is defined as a failure that causes the

module/(sub)system to go to the defined fail-safe state without a demand

from the process. Safe failures are divided into safe detected (SD) and safe

undetected (SU) failures.

Fail Dangerous A dangerous failure is defined as a failure of the temperature transmitter

C520/R520 not responding to a demand from the process, i.e. being unable

to go to the defined fail-safe state, and the output current deviates by

more than 2% of measuring span of the actual temperature measurement

value.

Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by internal

diagnostics.

Fail Dangerous Detected Failure that is dangerous but is detected by internal diagnostics and

causes the output signal to go to the predefined alarm state (These

failures may be converted to the selected fail-safe state).

Fail High Failure that causes the output signal to go to the maximum output current

(≥21 mA) acc. to NAMUR NE 43.

Fail Low Failure that causes the output signal to go to the minimum output current

(≤3.6 mA) acc. to NAMUR NE 43.

Fail No Effect Failure of a component that is part of the safety function but is neither a

safe failure nor a dangerous failure and has no effect on the safety

function. For the calculation of the SFF it is treated like a safe undetected

failure.

Not part Failures of a component which is not part of the safety function but part of

the circuit diagram.

Table 4-1: Definitions of the failure rate during the diagnostic calculations for C520/R520.

SAFETY FUNCTION

IPAQ C520/R520

www.inor.com02/2019 - 86B520S001 - AD 520 SIL R1.4 en

A software SIL-switch is available in the transmitter, handled by the PC-configuration software

ConSoft. It is password-protected by the same password that protects from change of

configuration. The SIL-switch can also be changed by HART communication, still password-

protected. The password may be changed either via ConSoft or via HART communications. It is

stored in the transmitter and it has to be accurate in order to download any changes to the

transmitter configuration. When the transmitter is shipped, the password default value is “0000”.

For SIL applications the password must be changed

For SIL applications the password must be changedFor SIL applications the password must be changed

For SIL applications the password must be changed to a user specific password in order to

prevent unintended change of configuration.

The following definitions of the failure are used during diagnostic calculations:

1For some system failures the alarm output will toggle between a high alarm level (≥21.0 mA)

and a low alarm level (≤3.6 mA). For some HW failures the alarm level will be high even though a

low level is configured and for some other HW failures the alarm will go low even though a high

level has been selected.

To prevent a safety system from restart due to the toggling output the system should be setup so

that once an alarm signal has occurred from the safety loop the system shouldn’t go back to

normal run automatically but only manual ("Restart Interlock").

2Transmitter errors = failures in the software or hardware detected by the diagnostics in the

transmitter.

3The sensor drift function is valid from SW-versions; IPM-SW 01.01.03 and OPM-SW 01.01.04

and hardware versions 5 and later, implemented in transmitters with serial number 1006.xxxxxx

or later. Serial number 1006.xxxxxx means manufactured week 6 in 2010 and this information is

found on the nameplate or it can be read from the transmitter via ConSoft. The software and

hardware versions can be read from the ConSoft software, tab "Device Information".

4.3 Redundancy

For the following configurations:

•2 x 2w RTD sensors

•2 x 3w RTD sensors

•2 x 4W RTD sensors (only valid for R520S/R520XS)

•2 x Thermocouple sensors

•1x Thermocouple sensor and 1 x 3w RTD sensor

•1x Thermocouple sensor and 1 x 4w RTD sensor (only valid for R520S/R520XS)

are either "Sensor drift monitoring" function or "Sensor backup" function selectable at a time.

Function Active/Not Active Output Alarm level 1

Sensor break Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Sensor short Active 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

Low isolation Not active - -

Transmitter error 2Active 4...20 mA / 20...4 mA ≥21.0 mA

Sensor drift (dual

sensor needed) 3Active/Not Active

selectable 4...20 mA / 20...4 mA ≤3.6 mA / ≥21.0 mA

SAFETY FUNCTION

IPAQ C520/R520

www.inor.com 02/2019 - 86B520S001 - AD 520 SIL R1.4 en

4.3.1 Sensor drift

If the function "Sensor drift" monitoring is selected, a difference between the sensors of more or

equal to the value stated in the configuration will cause the output to go either "Downscale" or

"Upscale" depending on the user configuration. Maximum temperature difference has to be

specified in °C via ConSoft.

4.3.2 Sensor backup

If "Sensor backup" function is activated the sensor chosen as output measuring in the

configuration will reflect the actual measuring value as long as it’s working properly. A sensor

break or a sensor short cause the transmitter to switch over to the other sensor and the output

signal will reflect the measured value of that sensor. A diagnostic message is transmitted via

HART

to the PLC.

If the "Average" function is activated in the configuration, the output value will reflect the actual

mean measuring value as long as the sensors are working properly. A sensor break or a sensor

short cause the transmitter to switch over to the non-broken sensor and the output signal will

reflect the measured value of that sensor. A diagnostic message is transmitted via HART

to the

PLC.

The functions "Sensor backup" and "Average" doesn't give any extra safety according to SIL and

are not used for calculating the system (transmitter + sensor) safety figures.

CAUTION!

The possibility to select the function for sensor drift monitoring is implemented in software

revision IPM-SW 01.01.03 and OPM-SW 01.01.04, from serial number 1006.xxxxxx.

Other manuals for IPAQ C520

This manual suits for next models

Table of contents

Other INOR Transmitter manuals

INOR

INOR IPAQ C330 Series User manual

INOR

INOR IPAQ CT20 User manual

INOR

INOR IPAQ C520 User manual

INOR

INOR APAQ C130 User manual

INOR

INOR ICON-X Wiring diagram

INOR

INOR IPAQ-L User manual

INOR

INOR APAQ-HRF User manual

INOR

INOR Mini IPAQ-HLP User manual

INOR

INOR IPAQ-H/HX User manual

INOR

INOR APAQ C130 TC User manual

INOR

INOR IPAQ-4L User manual

INOR

INOR APAQ R130 User manual

INOR

INOR IPAQ R202 User manual

INOR

INOR IPAQ-LX User manual

Popular Transmitter manuals by other brands

Seneca

Seneca K120RTD installation manual

Nautel

Nautel GV40 installation manual

HumanTechnik

HumanTechnik cm-light operating instructions

Linear

Linear DXS-64 operating instructions

FeinTech

FeinTech ABT00102 instruction manual

Geo

Geo Web Pack quick start guide

Inovonics

Inovonics EchoStream EN1210W installation instructions

IKONNIK

IKONNIK KA-6 quick start guide

Rohde & Schwarz

Rohde & Schwarz SR8000 Series System manual

Audio Technica

Audio Technica UniPak ATW-T93 Installation and operation

NIVELCO

NIVELCO EasyTREK SCA-300 Series Programming manual

Honeywell

Honeywell 5816WMBR installation instructions

Kamstrup

Kamstrup READy MTU Installation and operation guide

Omega

Omega ZW Series user guide

ABB

ABB Field 264H Instructions for installation

Dejero

Dejero EnGo 3x manual

Rosemount

Rosemount 4600 Reference manual

RKI Instruments

RKI Instruments M2A 65-2643RK-05-04 Operator's manual

INOR IPAQ C520 Wiring diagram

Popular Transmitter manuals by other brands