3.9

Transmitters: Self-Checking and Self-Validating J. BERGE

(2005)

Communications Infrastructure (Permanently Connected):

Transmitters with 4- to 20-mA output shall conform to NAMUR NE-43 HART handheld such as the Smar HPC301 (about U.S. $1000) FOUNDATION™ fieldbus host such as Smar SYSTEM302 (from U.S. $4000)

Costs (Typical base prices for pressure transmitters):

Microprocessor-based 4 to 20 mA, such as SMAR LD290, U.S. $500 HART, such as SMAR LD301, U.S. $700 FOUNDATION Fieldbus, such as SMAR LD302, U.S. $800

Suppliers:

Refer to Sections 3.6, 3.7, and 3.8 in this volume and to Volume 1 of this handbook.

INTRODUCTION

LEVELS OF DIAGNOSTIC INFORMATION

Self-diagnostics are of great importance for both operation and maintenance. Self-diagnostics are important because the reliability of the measurements is essential for proper control. Control and alarm systems using invalid inputs are a safety hazard. Measurement validation is therefore paramount. Indications of invalid measurements can be used to shut down the loop or to activate backup systems. Conventional and more sophisticated software tools such as statistical process control (Section 2.34), model-based predictive control (Section 2.14), and optimization (Section 2.20) should all work only with validated data and must know whether a measurement is invalid. Until recently only two types of maintenance strategies were used in the processing industry: reactive maintenance (its response is usually too late) and preventive maintenance (too early). Both are costly and ineffective. The recommended maintenance scheme is a proactive one, which responds to the actual device status. Such condition-based maintenance strategies rely on selfdiagnostics to report on the health of field instruments to an asset management software system. Self-diagnostics detect and immediately signal the failure of a device. Diagnostics in conjunction with appropriate means of communication and advanced software tools permit remote troubleshooting. Measurement validation is also critical in the proper operation of safety control systems. This requirement resulted in a trend that because switches provide no diagnostics, lowcost transmitters are taking their place in critical applications, where self-diagnostics are used.

Self-validation methods vary by both the type of measurement and by the supplier involved. In the past, most transmitters only had a single “general failure” indication for all faults. Today’s transmitters, however, increasingly provide detailed diagnostics. The level of diagnostics available varies greatly by manufacturer. Indeed, some transmitters are equipped to provide diagnostics that go down to the chip level, even if repair can only be performed at the board level. Because component level repairs are currently rare and are subject to approval from both a certification agency and the manufacturer, for most practical purposes, board-level diagnostics are sufficient. Transmitters have diagnostics for the transmitter itself, i.e., the main circuit board, as well as diagnostics for its sensor or sensors. Transmitters can be categorized into two groups with respect to the sensor: those with integral sensors such as most pressure, flow, and level transmitters, and those with external sensors such as most temperature, pH, conductivity, etc. Devices without microprocessors have no diagnostics at all. How Diagnostics Are Performed Self-diagnostics of transmitters are active when the power supply is on. When this is the case, the integrity of data in the different nonvolatile memories is checked to ensure that they have not been corrupted (Figure 3.9a). Memory checks are also performed periodically while the device is in operation. Other diagnostics include consistency of configuration and calibration. If a device is in simulation mode, this is also reported by the diagnostics software.

559 © 2006 by Béla Lipták

560

Transmitters and Local Controllers

Main circuit board

Sensor module Power isolation

Local adjust PROM memory

Pressure Oscillator

Signal isolation

Temp

Sensor EEPROM memory

CPU EEPROM RAM Memory

Math coprocessor D/A converter HART modem display controller

Output and power supply

Display

FIG. 3.9a Diagnostics are performed by CPU firmware in conjunction with sensor’s application specific integrated chips (ASIC).

Many types of device failures can manifest themselves in similar ways and it may not be possible to distinguish among them. Moreover, a failure of the main circuit board often results in the failure of a local display and communication channel, thereby making easy diagnostics impossible. Therefore, the user may not know exactly what is wrong with the sensor module. However, it suffices to know that the main circuit and not just the sensor module has failed because the main circuit has to be replaced in either case. Detailed analysis can be performed once the faulty circuit board has been replaced. Transmitters with Integral Sensors Transmitters with integral sensors continuously check the sensor signal and compare it to expected readings to detect abnormal conditions based on manufacturer experience with the particular measurement method used. Pressure, level, and flow transmitters are all available with integral sensors. In order to allow for easier repair, the sensor is usually detachable from the main circuit board (Figure 3.9b). The device or its sensor module provides temperature monitoring for temperature compensation of the measurement in addition to registering the violation of temperature limits. If a low limit is violated, this can be used to alert operators that the process fluid may be solidified or frozen and therefore the operation of the heat tracing system should be checked. Similarly, if a high-temperature limit is violated, it is desirable to check whether the sensor has been affected, degrading its accuracy or requiring recalibration. Such condition monitoring is required for proactive maintenance, which can ensure that small transmitter problems are corrected before they can cause large plant problems. The symptoms of several types of sensor failures are similar and may not be distinguishable. For example, the leaking of pressure sensor diaphragms caused by corrosion

© 2006 by Béla Lipták

FIG. 3.9b Pressure sensor module contains application specific integrated chips (ASIC) that handle diagnostics. (Courtesy of SMAR.)

3.9 Transmitters: Self-Checking and Self-Validating

561

may result in the same symptoms as some other type of sensor failure. In this case, the user may not know exactly what is wrong, but it suffices to know that the problem is with the sensor module and not the main circuit board and therefore the sensor has to be replaced. Detailed analysis can be performed after the faulty sensor has been removed. What is most important is to know that it was indeed a genuine sensor failure and not some kind of process upset or blocked impulse line that created the indication of failure.

or defects in the cabling. As a means to support proactive maintenance, the transmitter may even include a timer that alerts the operator when it is time to recalibrate. Furthermore, the transmitter may contain internal gain check to detect drift in its own internal secondary measurement circuitry.

Transmitters with External Sensors Transmitters utilizing external sensors include temperature, pH, and conductivity as well as several other types. A self-diagnosing transmitter periodically checks the external sensor to determine its health as well as checking the integrity of the wiring. A variety of tests can be performed, depending on the measurements and on the type of the primary sensor. For example, in the case of thermocouple-type (TC) temperature sensors, the test may involve the sending of current through the leads to verify the continuity of the wires and to detect “burn-out” of the TC junction. Another test is to check the plausibility of the cold-junction temperature sensor reading. For an RTD (Resistance Temperature Detector) sensor, the transmitter may measure the resistance of the individual sensor wires because excessive resistance can signify poor or wrong connections. Furthermore, the transmitter may contain internal comparison circuits, which can detect drift in its own internal secondary measurement circuitry. More expensive but also more comprehensive diagnostics can be provided if two temperature sensor elements are used. If their readings excessively deviate from each other, that is used as an indication of failure. pH is a notoriously difficult measurement and is perhaps one of the best examples where good use can be made of measurement validation. A modern pH transmitter (Figure 3.9c) continuously monitors both the measurement and the reference electrodes to detect mechanical damage of the sensor, contamination or blockage of the diaphragm, and aging

The output signal of a transmitter can indicate its own health and the validity of its measurement. In case of analog transmitters, if the output is outside the normal operating range, that usually signals some type of failure. Intelligent transmitter communication indicates the status by using codes and parameters.

FIG. 3.9c Self-checking pH transmitter. (Courtesy of Mettler-Toledo.)

© 2006 by Béla Lipták

DIAGNOSTICS TRANSMISSION

Analog Transmitters Transmitters without microprocessors have practically no real diagnostics capability. However, thermocouple temperature transmitters may still have a “pull-up” resistor that prevents the input from floating in case of thermocouple burnout, which otherwise can drive the output to either of the following extremes: above 20 or below 4 mA. Other analog transmitters work in a similar fashion. This scheme of protection is available for “live zero” signals such as 4 mA or 1 V, but for “dead zero” (zero-based) signals, the scheme does not work because it is usually not possible to go below 0 mA or 0 V. In these cases, an output that is below 1% is usually considered to be a failure indication. Microprocessor-Based Transmitters Microprocessor-based transmitters with 4- to 20-mA output and with or without highway addressable remote transducers (HART) have sensor diagnostics and can manipulate their outputs intelligently. The NAMUR NE-43 (Normen-Arbeitsgemeinschaft für Meß-und Regulungstechnik in der Chemischen Industrie) standard defines the signal levels that indicate the health of instruments (Figure 3.9d). To indicate that the measurement is “Good,” the transmitter uses a signal in the range 4 to 20 mA. The wider range of 3.8 to 20.5 mA indicates that the measurement is outside the set range but probably still useful. This status may be considered “Uncertain.” If the signal is between 3.6 and 3.8 mA or between 20.5 and 21 mA, the transmitter is “Bad.” So, when the signal rises higher (20.5 to 21 mA) or drops lower (3.6 to 3.8 mA), a set of user-defined safety actions should be initiated. HART Transmitters HART (highway addressable remote transducer) transmitters are smart instruments (see Section 4.11 in Volume 3 of this handbook) that provide slow digital communication in addition to their simultaneous 4- to 20-mA analog signals. The device status is included in all their communication responses.

562

Transmitters and Local Controllers

21.0 20.5

the analog signal from the transmitter and bring it to the attention of the operator (Table 3.9e). However, in such control systems where the communication is “always on” and continuously polls the transmitters, a faulty sensor is reported instantly. In order to provide this mode of operation, it is necessary that the DCS/PLC systems use input modules with HART communication or an auxiliary HART multiplexer.

Output current Failure Saturated

20.0

Set range

4.0 3.8 3.6

Saturated Failure Applied input

FIG. 3.9d A failure indication recommendation by a German standard, NAMUR NE-43 (Normen-Arbeitsgemeinschaft für Meß-und Regulungstechnik in der Chemischen Industrie).

Because HART is relatively slow, the control loops rely on the 4- to 20-mA analog signal for control. Therefore, in most installations the HART communication capability is only utilized occasionally, by connecting a handheld tool. Therefore, in most plants the HART device rarely communicates the measurement validity digitally. Consequently, when the HART communication is not continuous it is even more important that the control system should detect any fault indication by

Foundation Fieldbus Transmitters Foundation Fieldbus transmitters are intelligent instruments (see Section 4.12 in Volume 3 of this handbook) with pure digital communication. Fieldbus communication is “always on.” The health of the device and the validity of the measurement are continuously communicated. The extensive diagnostics capabilities and the ability to effectively report the health and measurement validity of the transmitted data are among the primary reasons for choosing Fieldbus. In addition to the diagnostic and validity information listed in Table 3.9f, every transducer block has detailed diagnostic TABLE 3.9f Diagnostics and Validity Information Provided by Fieldbus Transmitters Parameter *.status

All input and output parameters, including the measurement, as well as some contained parameters have a status associated with the value (see Table 3.9g)

BLOCK_ERR

All blocks have a summary of faults. In the resource block, this parameter reflects the health of the device as a whole. In the AI block, it represents the associated measurement (see Table 3.9h).

TABLE 3.9e Descriptions of HART Errors Error

Description

Description

Field Device Malfunction

The device has failed. The measurement is invalid.

Configuration Changed

The device configuration has been changed, possibly affecting the measurement.

Cold Start

The device has restarted.

XD_ERROR

More Status Available

Additional detail status about the device health or measurement validity is available.

All transducer blocks have more detailed information about the fault.

MODE_BLK

All blocks have a mode. If the actual mode of the resource block does not match the target mode, this is an indication of some sort of problem with the device as a whole. If the actual mode of a transducer block does not match the target mode, this is an indication of a problem with the associated measurement.

RS_STATE

The resource block indicates the overall health of the device. If it is “failure,” the memory or other hardware has a fault.

Analog Output Current Fixed

The device is in simulation mode. Output does not reflect measurement.

Analog Output Saturated

The output is out of range. The output does not reflect the measurement.

Nonprimary Variable Out of Limits

Auxiliary measurement, e.g., sensor temperature, is out of range. The measurement may be uncertain.

Primary Variable Out of Limits

The measurement is out of range. The output does not reflect the actual value.

© 2006 by Béla Lipták

3.9 Transmitters: Self-Checking and Self-Validating

563

TABLE 3.9g Fieldbus Measurement Status Attributes and Their Descriptions Status Attribute

Description

Quality

The validity of the measurement value may be Good, Bad, or Uncertain. There are two forms of Good; the one associated with measurements is “Good (Noncascade).”

Substatus

Additional details hinting why the quality is Bad or Uncertain. For Good it contains alarm summary or other information used by the internal workings of the block. Bad

Uncertain

Limit condition

Nonspecific Configuration error

Some parameter is incorrectly configured.

Not connected

Input is not linked.

Device failure

Output has failed.

Sensor failure

Sensor has failed.

No communication—last usable value

Input is not being received. The value remains since last communication.

No communication—with no usable value

Input is not being received. No earlier value is available.

Out of Service

The block is out of service.

Nonspecific Last Usable Value

Input is disconnected. The value remains since earlier on.

Substitute

The value is entered manually

Initial Value

Value entered while in out-of-service mode.

Sensor Conversion Not Accurate

Out of range or the sensor may have fouled.

Engineering Unit Range Violation

Out of range.

Subnormal

Auxiliary or redundant sensors have failed or are not in agreement

The limit condition for the value may be either High, Low, Constant, or none at all. High, low, and constant mean that the measurement does not represent the actual value, e.g., due to over range.

parameters that are specific for the particular transmitter type, technology, and manufacturer. The BLOCK_ERR parameter is found in all FOUNDATION Fieldbus function blocks. It gives a summary of all faults in the device (Table 3.9h).

DIAGNOSTIC INFORMATION DISPLAYS The fact that a transmitter failed or that it needs attention must be indicated both locally and in the control room in order to bring this information to the operator’s attention. Fieldbus and HART configuration tools allow for effective management of failures, as was discussed in Section 1.6 of the first volume of this handbook. The local indicator on the transmitter can display status, such as Bad, and can provide direct failure messages, such as sensor “burnout,” both textually (Figure 3.9i) and symbolically (Figure 3.9j). Health indication is very helpful for troubleshooting in the field. For this reason it is a good idea to use transmitters that are provided with local digital displays.

© 2006 by Béla Lipták

Usually, the operator in the control room is the first to notice that invalid measurements or transmitter failures have occurred. In order for the total process of transmitter selfchecking and validation to be fully effective, the chain, consisting of failure detection in the transmitter, transmission of that information to the control system, and its presentation for the operators, must be fully integrated (Figure 3.9k). In addition to the displaying of the status on the faceplate, any Uncertain or Bad status should also be logged and alarmed. Once operators detect an invalid measurement they can initiate the process that will determine the actual cause. OPC (Object link embedding for Process Control) is a key technology serving to get data to the operator’s workstations in the control room. This software architecture was described in Section 5.4 of the third volume of this handbook. It is recommended to use OPC in conjunction with HART or FOUNDATION Fieldbus. Portable and Handheld Displays On the displays of handheld tools, technicians can see the detailed diagnostics of the transmitter. In the case of HART

564

Transmitters and Local Controllers

TABLE 3.9h Types and Descriptions of Universal Fieldbus Errors Error

Description

Block configuration error

One or more parameters are wrongly configured, preventing the block from operating properly. The measurement may be invalid.

Link configuration error

One or more of the links for the block are wrongly configured.

Simulate is active (enabled)

For the resource block this means that simulation is permitted for the transmitter inputs. In an analog input it means that the input is actually being simulated and does not represent the actual measurement.

In Local Override (LO) mode

The block is in local override mode.

Device fault state is forced

“Fail safe” is forced in the device.

Device needs maintenance soon

The predictive diagnostics in the device indicates that it may soon be in need of service. The device may e.g., require calibration, cleaning, or some other service.

Input failure

The measurement has failed. The measurement may not be valid.

Output failure

The output has failed.

Memory failure

The device has a problem with one or more of its memories.

Lost static data

The device has lost its configuration. The measurement may be affected.

Lost nonvolatile data

The device has lost its configuration. The measurement may be affected.

Readback check failed

The actual output may not match the desired output.

Device needs maintenance now

The predictive diagnostics in the device indicates that is now in need of immediate service. The device may e.g., require calibration, cleaning, or some other service.

Powering up

The device is starting up

In Out-of-Service (OOS) mode

The mode of the block is set Out-of-Service.

Others

Additional device-specific status is available in other parameters.

systems, the portable handheld tool is brought out into the field and is connected at the transmitter (Figure 3.9l). In a Fieldbus system the technician can “drill down” into the transmitter the detailed diagnostics information that can be helpful in the troubleshooting effort. Because the communication in Fieldbus systems is “always on,” there is no need to locate and connect a handheld tool to obtain the diagnostics;

they are available from the engineering station at any time (Figure 3.9m). FOUNDATION Fieldbus transmitters are provided with more diagnostics, and the information provided is easier to access from the control room. These extensive diagnostics and the effective reporting of measurement validity are primary reasons for choosing Fieldbus.

PV

FIG. 3.9i Failure message provided textually in a temperature transmitter display. (Courtesy of SMAR.)

© 2006 by Béla Lipták

FIG. 3.9j Failure message provided symbolically in a pH transmitter display. (Courtesy of Mettler-Toledo.)

3.9 Transmitters: Self-Checking and Self-Validating

565

To effectively manage large numbers of installed transmitters and other instruments, the Fieldbus and HART network infrastructure should be complemented with powerful online plant asset management (OPAM) software (Figure 3.9n). If the asset management software is Web-based, the maintenance system can securely be connected to the enterprise-wide intranet or the public Internet using appropriate firewalls and other means of protection. This permits diagnostics to be carried out from just about anywhere where it is possible to establish an Internet connection. For example, experts can access it from their homes, or access can be granted to the manufacturer’s support center. ACTING ON THE DIAGNOSTIC DATA

FIG. 3.9k On the faceplate of the controller, next to the values of setpoint (SP), process variable (PV), and output signal, the letter “G” displays the good status of the complete system.

FIG. 3.9l The transmitter diagnostics information, which is presented on a HART handheld tool display.

FIG. 3.9m The transmitter diagnostics information, which is presented on a Fieldbus software-supported display.

© 2006 by Béla Lipták

It is not possible to control a process if the transmitted information is invalid or Bad. However, it may be possible to maintain control while using uncertain measurements, such as readings that are slightly out of range. In general, plant safety is improved if transmitter self-diagnostics are utilized to improve the validity of measurements. Failsafe and Alarm Actions Even the simplest analog control loop can be designed to fail safely. For example, in case of level control, a failsafe transmitter will generate a high analog output (say 21 mA), if the sensor fails. Therefore, the controller or alarm system will interpret a 21-mA signal the same as if the tank is overfilled and thus will automatically close the filling valve. Sophisticated DCS and PLC may interpret NAMUR NE43 signal levels and thus determine if signal quality is Good, Uncertain, or Bad. HART communication is too slow for closed-loop control or shutdown interlocks and therefore both controls and alarms utilize 4- to 20-mA analog signals. Converters exist that can tap the HART communication from the signal lines and can activate relays in case of failure. Such relays can tie to control systems, which do not communicate HART but do need to know the transmitter status. In a Fieldbus-based control system, safe loop action is part of the IEC 61804-1 function block diagram language for building control strategies, which is an integral part of the FOUNDATION Fieldbus system architecture. Values communicated between function blocks, such as from an analog input (AI) block in a transmitter to a PID block in a control valve positioner, are accompanied by their status. A “Bad” measurement status from the transmitter can automatically switch the loop to a manual mode of operation or optionally, the PID control block can bring the control valve to its predetermined safe position (Figure 3.9o). An advantage of the Fieldbus function block language is that the interlocks are built into the control blocks. Therefore there is no need to configure and validate additional logic to implement the interlocks. Moreover, because Fieldbus is a standard, the interlocks work across all devices conforming

566

Transmitters and Local Controllers

FIG. 3.9n Transmitter diagnostics using Web-based asset management (OPAM) software.

IFS Bad

AI

Man

PID

LO

AO

FSA

FIG. 3.9o TM Status and operating mode propagation in a FOUNDATION fieldbus control system, using function block language.

languages. This can ensure that the measurement validity and other status information is propagated throughout the control strategy and not lost along the way. Within the fieldbus PID block it is possible to set whether the status “Uncertain” shall be treated as “Good” or as “Bad.” This makes it possible to be selective when balancing production availability against plant safety on a loop-by-loop basis. For loops that require high availability, an uncertain status is configured as good, thus permitting control to continue under such conditions. For loops where safety is the primary concern, the uncertain status can be treated as bad, thus shutting the loop down.

Reference to the standard. Therefore it is advisable to use transmitters, valve positioners, and central controllers that are based on the FOUNDATION fieldbus blocks rather than using proprietary

© 2006 by Béla Lipták

1.

Berge, J., Fieldbuses for Process Control—Engineering, Operation, and Maintenance, Research Triangle Park, NC: ISA, 2002.