Use in safety instrumented systems Temperature transmitter iTEMP TMT82
16 Endress+Hauser
5 Use in safety instrumented systems
5.1 Device behavior during operation
After SIL locking, additional diagnostics are active and critical parameters in the
safety path are set to safe values. Therefore, the device behavior in the "SIL mode" may
deviate from the "normal mode". If a test phase takes place before the plant is finally
put into production, it is recommended that this test phase be run in the "SIL mode" in
order to obtain the most conclusive results possible.
5.1.1 Device behavior when switched on
After power-up, the device runs through a diagnostic phase. The current output is set to
the failure current (Low alarm, ≤ 3.6 mA) during this time.
During the diagnostic phase, no communication is possible via the service interface (CDI)
or via HART®, and the screen of the optional plug-in display is not active.
5.1.2 Device behavior when safety function is requested
The device outputs a current value corresponding to the limit value to be monitored. This
value must be monitored and processed further in a connected logic unit.
5.1.3 Safe states
The system assumes one of the three states depending on the error detected.
Failure mode / Description Safe state / Output current
Application errors are detected by the device, and the set failure current is
output. The device can continue to communicate via HART® (device state:
"Temporarily safe"). This state persists until all the application errors are
resolved and the device can again supply a valid measured value at the
current output. All parameters can be read.
Example: A cable open circuit is detected in the sensor.
I ≤ 3.6 mA (Low-Alarm)
or
I ≥ 21.5 mA (High-Alarm)
The device can continue to communicate via HART® (device state: "Active
safe"). However, the current output consistently outputs the set failure
current. This state persists until the device is restarted. All parameters
can be read.
Example: Undervoltage detected at device.
The device ceases operation immediately and restarts after 0.5 s at the
latest. The device does not display any error messages.
Example: An error is detected while the program is running.
5.1.4 Device behavior in the event of alarms and warnings
The output current in the event of an alarm can be set to a value of ≤ 3.6 mA or ≥
21.5 mA. In some cases (e.g. failure of power supply, open circuit in power supply line and
faults in the current output itself, where the failure current ≥ 21.5 mA cannot be output),
output currents ≤ 3.6 mAoccur irrespective of the failure current defined. → 33
In some cases (e.g. cabling short circuit), output currents ≥ 21.5 mA occur irrespective of
the configured failure current.
NOTICE
Alarm monitoring
‣
For alarm monitoring, the downstream logic unit must be able to detect both High
alarms (≥ 21.0 mA) and Low alarms (≤ 3.6 mA).
To Next Page
Loading...
