Transmitter Diagnostics
In the previous post we have explained in a brief way what are the failures of transmitter that affect the calculation of PFDavg / PFH and MTTFS of the Safety Instrumented Function (SIF). We will go deeper into the transmitter diagnostics and explain it with some example.
Recall that the “Fail High” and “Fail Low” failures are not detected by the transmitter diagnostics, but can be detected in the PLC (Logic Solver). However, the “Fail Detected” failures are detected by the internal diagnostics of the transmitter.
When the process signal (for example, gas pressure) is outside the measuring range of the transmitter then saturation of the 4-20 mA signal (> 20 mA or <4 mA) occurs. Typically, this saturated signal indication is within certain limits, as shown in the example table. If the signal is outside those limits then what it indicates is that there has been an internal failure in the transmitter (“Fail High”, “Fail Low” or “Fail Detected”).
Example of Rosemount transmitter:
| Level | Saturation value (4-20 mA) | Alarm (fault on 4-20 mA signal) |
| Low | 3.9 mA | ≤ 3.75 mA |
| High | 20.8 mA | ≥ 21.75 mA |
In the application software of the safety PLC we can diagnose these types of transmitter failures. Failures “Fail High” and “Fail Low” are faults not detected by the transmitter diagnostics, but can become failures detected by the PLC.
Fail Detected failures are detected by transmitter diagnostics. If the transmitter has been set to “over-range” then the analog signal goes to a value greater than 20 mA (in the example ≥ 21.75 mA), if it has been set to “under-range” then the signal goes to less than 4 mA (in the example ≤ 3.75 mA).
In each Safety Instrumented Function, the logic to be implemented in the PLC may vary, depending on the type of trip (High or Low), the type of architecture and the design criteria used in the design of the SIS.
In addition, when calculating the probability of failure PFDavg we must take this into account in order to classify the failures correctly. Any of these failures can be dangerous or safe depending on the case.
To better understand this let’s see a simple example.
Design criteria for this example SIF:
1-The transmitter must trip the process by high pressure when the signal reaches 17 mA.
2-The architecture is 1oo1, and any transmitter dangerous detected failure must generate an alarm, but must not stop the process.
3-The transmitter is set to LOW (“under-range”), so that all failures “Fail Detected” carry the transmitter signal to less than 3.75 mA.
4-The transmitter failure modes and failure rates are as follows (information provided by the manufacturer):
| Type of failure |
Failure Rates per hour (FITS) | Notes |
| Fail Safe Undetected (SU) | 94 | |
| Fail Detected | 222 | Internal detected failures. They may be SD or DD (if implemented in PLC). |
| Fail High | 29 | Signal >20 mA. SD or DD. |
| Fail Low | 27 | Signal <4 mA. SD or DD. |
| Fail Dangerous Undetected (DU) | 41 |
Classification of failures in this SIF:
With these criteria we must implement application diagnostics in the PLC so that we must alarm and not trip the process when the transmitter signal is less than 4 mA.
The Table of transmitter failure modes, with these design criteria, becomes the following:
| Type of failure | Rates of failures per hour (FITS) | Notes |
| Fail Safe Undetected (SU) | 94 | Safe failures undetected by transmitter diagnostics. |
| Fail Detected (DD) | 222 | Internal detected failures. The signal goes to 3.75 mA as the transmitter has been set to “under-range”. It’s alarmed in the PLC. |
| Fail High (SD) | 29 | Signal >20 mA. Process is tripped. |
| Fail Low (DD) | 27 | Signal <4 mA. It’s alarmed in the PLC. |
| Fail Dangerous Undetected (DU) | 41 | They are the ones that most impact the value of PFDavg / PFH. |
It is highly recommended to implement this type of application diagnostics in the PLC. In each project, the criteria to be followed for each type of architecture must be defined in the SRS (Safety Requirements Specification). For example, if we want to give priority to production, we can define that, in the 1oo1 architecture, the process is not shutdown (as in the previous example), in 1oo2 we do not trip the process either and temporarily degrade the architecture to 1oo1 (transmitter set to LOW). However, with 2oo2 and 2oo3 we trip the affected channel and we degrade the architectures to 1oo1 and 1oo2 respectively (the transmitter is set to HIGH in these 2 cases as the process does not trip even if a channel fails).
| Architecture | Process trip setpoint | Transmitter setting | Architecture is degraded temporarily to: |
| 1oo1 | High | Low | SIF overriden |
| 1oo2 | High | Low | 1oo1 |
| 2oo2 | High | High | 1oo1 |
| 2oo3 | High | High | 1oo2 |
If the trip setpoint were “Low” the transmitter configuration would be the other way around.
If we prefer to give priority to safety (process trip) then, in the example, transmitter configuration would always be “High” (“over-range”). In this case, all failures are converted to SD as follows:
| Type of failure | Rates of failures per hour (FITS) | Notes |
| Fail Safe Undetected (SU) | 94 | Safe failures undetected by transmitter diagnostics. |
| Fail Detected (SD) | 222 | Internal detected failures. The signal goes to 21.75 mA as the transmitter has been set to “over-range”. Process is tripped by PLC. |
| Fail High (SD) | 29 | Signal >20 mA. Process is tripped by PLC. |
| Fail Low (SD) | 27 | Signal <4 mA. Process is tripped by PLC. |
| Fail Dangerous Undetected (DU) | 41 |
How do you configure it in the SILcet tool?
Example: The process is tripped by high pressure.
| Transmitter set to “under range” | Transmitter set to “over range” |
| Classify the failure rates provided by the transmitter manufacturer as in the first example, that is, “Fail Low” and “Fail Detected” failures are DD failures. “Fail High” are SD (the most practical is to make this classification on the sheet “sensor” where we have created the database of the project components). | Classify the failure rates provided by the transmitter manufacturer as in the second example, that is, “Fail High”, “Fail Low” and “Fail Detected” failures are SD failures (the most practical is to make this classification on the sheet “Sensor” where we have created the database of the project components). |
| Leave the “Trip” column empty (column Z) | Leave the “Trip” column empty (column Z) |
What happens if we do not implement these diagnostics in the Logic Solver?
What happens is that all failures are “undetected”, that is, SU and DU.
If the trip is high (High Trip) and the transmitter is set to “over-range” the failure rates would be as follows:
| Type of failure > | SD | SU | DD | DU |
| No diagnostics in Logic Solver (PLC) | 0 | 94+ 222+ 29 | 0 | 41 + 27 |
Related link: