Assumptions; Diagnostics - ABB TTH300 User Manual

TTH300, TTF300 TEMPERATURE TRANSMITTER | SM/TTX300/SIL-EN REV. E

Assumptions

The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis:
• Failure rates are constant, wear out mechanisms are not included.
• Propagation of failures is not relevant.
• Failures during parameterization are not considered.
• The device is locked / protected against unintended operation/modification.
• The HART protocol is only used for setup and diagnostics purposes, not during normal operation.
• The device is installed per manufacturer's instructions.
• The correct parameterization is checked be the end user.
• Sufficient tests are performed prior to shipment to verify the absence of vendor and / or manufacturing defects that prevent
proper operation of specified functionality to product specifications or cause operation different from the design analyzed.
• External power supply failure rates are not included.
• As the optional display / control unit can interfere with the transmitter, the contribution to the dangerous undetected failure
rate was considered.
• The worst case internal fault detection time is 2 minutes. Depending on the application, this interval needs to be considered
directly in the SIL verification.
• Only the current output 4 to 20 mA is used for safety applications.
• The application program in the safety logic solver is configured according to NAMUR NE43 to detect under-range low alarm
and over-range high alarm and does not automatically trip on these states; therefore, these failures have been classified as
dangerous detected failures.
• Materials are compatible with process conditions.
• The measurement / application limits are considered.
• Short circuit and lead breakage detection are activated.
• The minimum supply voltage used for the failure rate calculation is 15 VDC.

Diagnostics

The device's diagnostics setup meets the declared safety requirements in supporting the following runtime error detections:
• Sensor configuration RTD: wire break and short circuit
• Sensor configuration thermocouple: wire break
• Several electrical part failures
• AD-converter error
• Internal Power Supply error
• Internal communication error
• Program and Microcontroller supervision through watchdog
• Sensor limit range alarm (upper and lower limits)
• Flash ROM CRC16 error
• EEPROM CRC16 error
• RAM Physical – Pattern Test error
• RAM CRC16 data error
• Drift error detection if configured and verified for the final dual redundant sensor assembly
13