Functional Safety Manual
for the Memosens transmitter Liquiline M CM42 SIL
Version:
Page:
2.0
16
of
72
A
ll
e
R
ec
h
te
v
o
rb
eh
al
te
n
.
D
as
K
o
p
ie
re
n
d
ie
se
s
D
o
k
u
m
en
ts
u
n
d
d
ie
V
er
w
en
d
u
n
g
v
o
n
T
ei
le
n
au
s
d
ie
se
m
D
o
k
u
m
en
t
is
t
o
h
n
e
sc
h
ri
ft
li
ch
e
G
en
eh
m
ig
u
n
g
d
er
E
n
d
re
ss
+
H
au
se
r
C
o
n
d
u
ct
a
G
m
b
H
+
C
o
.
K
G
n
ic
h
t
er
la
u
b
t.
A
ll
ri
gh
ts
re
se
rv
ed
.
P
as
si
n
g
o
n
an
d
co
p
yi
n
g
o
f
th
is
d
o
cu
m
en
t,
u
se
an
d
co
m
m
u
n
ic
at
io
n
o
f
it
s
co
n
te
n
ts
n
o
t
p
er
m
it
te
d
w
it
h
o
u
t
w
ri
tt
en
au
th
o
ri
za
ti
o
n
fr
o
m
E
n
d
re
ss
+
H
au
se
r
C
o
n
d
u
ct
a
G
m
b
H
+
C
o
.
K
G
.
Anyway the signal has to be voted by a 2oo2 voter using the following algorithm:
If any of the current outs shows a HI or LO error current, an error current has to be
set.
If any current out delivers a signal below 3.6mA (e.g. 0 mA), an error current has to
be set.
If the both current outputs
differ by more than
±
0.04 pH from each other for
longer than 1 second,
an error current has to be set.
The allowed current output difference is then dependant on the current output
spreading used.
E.g. for a given spread interval of 1pH we get an allowed difference of
0.04 pH
×
16 mA/pH = 0.64 mA (= 4.0% of full span),
for an interval of 14 pH the allowed difference is
0.04 pH
×
1.143 mA/pH=0.04572 mA ( 0.3% of full span; you have to use 0.05
because of the given physical resolution of the current outputs).
See below for a table of values for different spreading.
Spread
[pH]
1.0
2.0
3.0
4.0
5.0
6.0
7.0
Allowed
difference [mA]
0.64
=4%
0.32
0.21
0.16
0.13
0.11
0.09
Spread
[pH]
8.0
9.0
10.0
11.0
12.0
13.0
14.0
Allowed
difference [mA]
0.08
0.07
0.06
0.06
0.05
0.05
0.05
0.3%
The device is leaving the safe state when being restarted. After the device has booted
correctly and has detected a sensor, all start up self tests have been successfully
executed. The device is not automatically entering the safe SIL mode after a reboot,
even if it has been correctly working in SIL mode before the reset has taken place.
Note!
After the safe state has been detected by the logic component, the CM42 has to be
manually switched to the safe SIL mode back again. This is necessary, because the logic
component does not know, if the transmitter has been "repaired" after the safe state has
been reached at the logic component. The logic component just detects a measuring
value after the error current has been seen for at least 4 seconds.
Example for a voter realized in a PCS as a function block
