3.

Transmitters: Self-Checking and Self-Validating

J. BERGE

(2005)

Communications
Infrastructure
(Permanently
Connected):

Transmitters with 4- to 20-mA output shall conform to NAMUR NE-43 HART

handheld such as the Smar HPC301 (about U.S. $1000)
FOUNDATION fieldbus host such as Smar SYSTEM302 (from U.S. $4000)

Costs (Typical base

prices for pressure
transmitters):

Microprocessor-based 4 to 20 mA, such as SMAR LD290, U.S. $500

HART, such as SMAR LD301, U.S. $700
FOUNDATION Fieldbus, such as SMAR LD302, U.S. $800

Suppliers:

Refer to Sections 3.6, 3.7, and 3.8 in this volume and to Volume 1 of this handbook.

INTRODUCTION

LEVELS OF DIAGNOSTIC INFORMATION

Self-diagnostics are of great importance for both operation

and maintenance. Self-diagnostics are important because the
reliability of the measurements is essential for proper control.
Control and alarm systems using invalid inputs are a safety
hazard. Measurement validation is therefore paramount. Indications of invalid measurements can be used to shut down
the loop or to activate backup systems.
Conventional and more sophisticated software tools such
as statistical process control (Section 2.34), model-based predictive control (Section 2.14), and optimization (Section 2.20)
should all work only with validated data and must know
whether a measurement is invalid.
Until recently only two types of maintenance strategies
were used in the processing industry: reactive maintenance (its
response is usually too late) and preventive maintenance (too
early). Both are costly and ineffective. The recommended
maintenance scheme is a proactive one, which responds to the
actual device status.
Such condition-based maintenance strategies rely on selfdiagnostics to report on the health of field instruments to an
asset management software system. Self-diagnostics detect
and immediately signal the failure of a device. Diagnostics in
conjunction with appropriate means of communication and
advanced software tools permit remote troubleshooting.
Measurement validation is also critical in the proper operation of safety control systems. This requirement resulted in
a trend that because switches provide no diagnostics, lowcost transmitters are taking their place in critical applications,
where self-diagnostics are used.

Self-validation methods vary by both the type of measurement and by the supplier involved. In the past, most transmitters only had a single general failure indication for all
faults. Todays transmitters, however, increasingly provide
detailed diagnostics. The level of diagnostics available varies
greatly by manufacturer.
Indeed, some transmitters are equipped to provide diagnostics that go down to the chip level, even if repair can only
be performed at the board level. Because component level
repairs are currently rare and are subject to approval from
both a certification agency and the manufacturer, for most
practical purposes, board-level diagnostics are sufficient.
Transmitters have diagnostics for the transmitter itself, i.e.,
the main circuit board, as well as diagnostics for its sensor or
sensors. Transmitters can be categorized into two groups with
respect to the sensor: those with integral sensors such as most
pressure, flow, and level transmitters, and those with external
sensors such as most temperature, pH, conductivity, etc.
Devices without microprocessors have no diagnostics at all.
How Diagnostics Are Performed
Self-diagnostics of transmitters are active when the power supply is on. When this is the case, the integrity of data in the
different nonvolatile memories is checked to ensure that they
have not been corrupted (Figure 3.9a). Memory checks are also
performed periodically while the device is in operation. Other
diagnostics include consistency of configuration and calibration. If a device is in simulation mode, this is also reported by
the diagnostics software.

559
2006 by Bla Liptk

560

Transmitters and Local Controllers

Main circuit board

Sensor module
Power
isolation

Local
adjust
PROM
memory

Pressure
Oscillator

Signal
isolation

Temp

Sensor
EEPROM
memory

CPU
EEPROM
RAM
Memory

Math coprocessor
D/A
converter
HART
modem
display
controller

Output
and
power
supply

Display

FIG. 3.9a
Diagnostics are performed by CPU firmware in conjunction with sensors application specific integrated chips (ASIC).

Many types of device failures can manifest themselves in

similar ways and it may not be possible to distinguish among
them. Moreover, a failure of the main circuit board often results
in the failure of a local display and communication channel,
thereby making easy diagnostics impossible. Therefore, the
user may not know exactly what is wrong with the sensor
module. However, it suffices to know that the main circuit and
not just the sensor module has failed because the main circuit
has to be replaced in either case. Detailed analysis can be
performed once the faulty circuit board has been replaced.
Transmitters with Integral Sensors Transmitters with integral sensors continuously check the sensor signal and compare it to expected readings to detect abnormal conditions
based on manufacturer experience with the particular measurement method used. Pressure, level, and flow transmitters
are all available with integral sensors. In order to allow for
easier repair, the sensor is usually detachable from the main
circuit board (Figure 3.9b).
The device or its sensor module provides temperature
monitoring for temperature compensation of the measurement
in addition to registering the violation of temperature limits.
If a low limit is violated, this can be used to alert operators
that the process fluid may be solidified or frozen and therefore
the operation of the heat tracing system should be checked.
Similarly, if a high-temperature limit is violated, it is desirable
to check whether the sensor has been affected, degrading its
accuracy or requiring recalibration. Such condition monitoring
is required for proactive maintenance, which can ensure that
small transmitter problems are corrected before they can cause
large plant problems.
The symptoms of several types of sensor failures are
similar and may not be distinguishable. For example, the
leaking of pressure sensor diaphragms caused by corrosion

2006 by Bla Liptk

FIG. 3.9b
Pressure sensor module contains application specific integrated
chips (ASIC) that handle diagnostics. (Courtesy of SMAR.)

3.9 Transmitters: Self-Checking and Self-Validating

561

may result in the same symptoms as some other type of sensor

failure. In this case, the user may not know exactly what is
wrong, but it suffices to know that the problem is with the
sensor module and not the main circuit board and therefore
the sensor has to be replaced. Detailed analysis can be performed after the faulty sensor has been removed. What is
most important is to know that it was indeed a genuine sensor
failure and not some kind of process upset or blocked impulse
line that created the indication of failure.

or defects in the cabling. As a means to support proactive

maintenance, the transmitter may even include a timer that
alerts the operator when it is time to recalibrate. Furthermore, the transmitter may contain internal gain check to
detect drift in its own internal secondary measurement
circuitry.

Transmitters with External Sensors Transmitters utilizing

external sensors include temperature, pH, and conductivity
as well as several other types. A self-diagnosing transmitter
periodically checks the external sensor to determine its health
as well as checking the integrity of the wiring. A variety of
tests can be performed, depending on the measurements and
on the type of the primary sensor.
For example, in the case of thermocouple-type (TC) temperature sensors, the test may involve the sending of current
through the leads to verify the continuity of the wires and to
detect burn-out of the TC junction. Another test is to check
the plausibility of the cold-junction temperature sensor reading.
For an RTD (Resistance Temperature Detector) sensor,
the transmitter may measure the resistance of the individual
sensor wires because excessive resistance can signify poor
or wrong connections. Furthermore, the transmitter may contain internal comparison circuits, which can detect drift in its
own internal secondary measurement circuitry.
More expensive but also more comprehensive diagnostics
can be provided if two temperature sensor elements are used.
If their readings excessively deviate from each other, that is
used as an indication of failure.
pH is a notoriously difficult measurement and is perhaps
one of the best examples where good use can be made of measurement validation. A modern pH transmitter (Figure 3.9c)
continuously monitors both the measurement and the reference electrodes to detect mechanical damage of the sensor, contamination or blockage of the diaphragm, and aging

The output signal of a transmitter can indicate its own health

and the validity of its measurement. In case of analog transmitters, if the output is outside the normal operating range, that
usually signals some type of failure. Intelligent transmitter communication indicates the status by using codes and parameters.

FIG. 3.9c
Self-checking pH transmitter. (Courtesy of Mettler-Toledo.)

2006 by Bla Liptk

DIAGNOSTICS TRANSMISSION

Analog Transmitters
Transmitters without microprocessors have practically no
real diagnostics capability. However, thermocouple temperature transmitters may still have a pull-up resistor that
prevents the input from floating in case of thermocouple
burnout, which otherwise can drive the output to either of
the following extremes: above 20 or below 4 mA.
Other analog transmitters work in a similar fashion. This
scheme of protection is available for live zero signals such
as 4 mA or 1 V, but for dead zero (zero-based) signals, the
scheme does not work because it is usually not possible to
go below 0 mA or 0 V. In these cases, an output that is below
1% is usually considered to be a failure indication.
Microprocessor-Based Transmitters
Microprocessor-based transmitters with 4- to 20-mA output
and with or without highway addressable remote transducers
(HART) have sensor diagnostics and can manipulate their
outputs intelligently.
The NAMUR NE-43 (Normen-Arbeitsgemeinschaft fr
Me-und Regulungstechnik in der Chemischen Industrie)
standard defines the signal levels that indicate the health of
instruments (Figure 3.9d).
To indicate that the measurement is Good, the transmitter
uses a signal in the range 4 to 20 mA. The wider range of 3.8
to 20.5 mA indicates that the measurement is outside the set
range but probably still useful. This status may be considered
Uncertain. If the signal is between 3.6 and 3.8 mA or between
20.5 and 21 mA, the transmitter is Bad. So, when the signal
rises higher (20.5 to 21 mA) or drops lower (3.6 to 3.8 mA), a
set of user-defined safety actions should be initiated.
HART Transmitters HART (highway addressable remote
transducer) transmitters are smart instruments (see Section 4.11
in Volume 3 of this handbook) that provide slow digital
communication in addition to their simultaneous 4- to 20-mA
analog signals. The device status is included in all their
communication responses.

562

Transmitters and Local Controllers

21.0
20.5

the analog signal from the transmitter and bring it to the attention of the operator (Table 3.9e).
However, in such control systems where the communication is always on and continuously polls the transmitters,
a faulty sensor is reported instantly. In order to provide this
mode of operation, it is necessary that the DCS/PLC systems
use input modules with HART communication or an auxiliary
HART multiplexer.

Output current
Failure
Saturated

20.0

Set range

4.0
3.8
3.6

Saturated
Failure
Applied input

FIG. 3.9d
A failure indication recommendation by a German standard,
NAMUR NE-43 (Normen-Arbeitsgemeinschaft fr Me-und Regulungstechnik in der Chemischen Industrie).

Because HART is relatively slow, the control loops rely

on the 4- to 20-mA analog signal for control. Therefore, in
most installations the HART communication capability is only
utilized occasionally, by connecting a handheld tool. Therefore, in most plants the HART device rarely communicates the
measurement validity digitally. Consequently, when the HART
communication is not continuous it is even more important
that the control system should detect any fault indication by

Foundation Fieldbus Transmitters Foundation Fieldbus transmitters are intelligent instruments (see Section 4.12 in Volume 3
of this handbook) with pure digital communication. Fieldbus
communication is always on. The health of the device and
the validity of the measurement are continuously communicated. The extensive diagnostics capabilities and the ability
to effectively report the health and measurement validity of
the transmitted data are among the primary reasons for choosing Fieldbus.
In addition to the diagnostic and validity information listed
in Table 3.9f, every transducer block has detailed diagnostic
TABLE 3.9f
Diagnostics and Validity Information Provided by Fieldbus
Transmitters
Parameter
*.status

All input and output parameters,

including the measurement, as
well as some contained
parameters have a status
associated with the value (see
Table 3.9g)

BLOCK_ERR

All blocks have a summary of

faults. In the resource block, this
parameter reflects the health of
the device as a whole. In the AI
block, it represents the
associated measurement (see
Table 3.9h).

TABLE 3.9e
Descriptions of HART Errors
Error

Description

Description

Field Device Malfunction

The device has failed. The

measurement is invalid.

Configuration Changed

The device configuration has been

changed, possibly affecting the
measurement.

Cold Start

The device has restarted.

XD_ERROR

More Status Available

Additional detail status about the

device health or measurement
validity is available.

All transducer blocks have more

detailed information about the
fault.

MODE_BLK

All blocks have a mode. If the

actual mode of the resource
block does not match the target
mode, this is an indication of
some sort of problem with the
device as a whole. If the actual
mode of a transducer block does
not match the target mode,
this is an indication of a
problem with the associated
measurement.

RS_STATE

The resource block indicates the

overall health of the device. If it
is failure, the memory or other
hardware has a fault.

Analog Output Current Fixed

The device is in simulation mode.

Output does not reflect
measurement.

Analog Output Saturated

The output is out of range. The

output does not reflect the
measurement.

Nonprimary Variable Out of

Limits

Auxiliary measurement, e.g.,

sensor temperature, is out of
range. The measurement may be
uncertain.

Primary Variable Out of Limits

The measurement is out of range.

The output does not reflect the
actual value.

2006 by Bla Liptk

3.9 Transmitters: Self-Checking and Self-Validating

563

TABLE 3.9g
Fieldbus Measurement Status Attributes and Their Descriptions
Status Attribute

Description

Quality

The validity of the measurement value may be Good, Bad, or Uncertain. There are two forms of Good; the
one associated with measurements is Good (Noncascade).

Substatus

Additional details hinting why the quality is Bad or Uncertain. For Good it contains alarm summary or other
information used by the internal workings of the block.
Bad

Uncertain

Limit condition

Nonspecific
Configuration error

Some parameter is incorrectly configured.

Not connected

Input is not linked.

Device failure

Output has failed.

Sensor failure

Sensor has failed.

No communicationlast usable
value

Input is not being received. The value remains

since last communication.

No communicationwith no
usable value

Input is not being received. No earlier value is

available.

Out of Service

The block is out of service.

Nonspecific
Last Usable Value

Input is disconnected. The value remains since

earlier on.

Substitute

The value is entered manually

Initial Value

Value entered while in out-of-service mode.

Sensor Conversion Not Accurate

Out of range or the sensor may have fouled.

Engineering Unit Range Violation

Out of range.

Subnormal

Auxiliary or redundant sensors have failed or are

not in agreement

The limit condition for the value may be either High, Low, Constant, or none at all. High, low, and constant
mean that the measurement does not represent the actual value, e.g., due to over range.

parameters that are specific for the particular transmitter type,

technology, and manufacturer.
The BLOCK_ERR parameter is found in all FOUNDATION
Fieldbus function blocks. It gives a summary of all faults in
the device (Table 3.9h).

DIAGNOSTIC INFORMATION DISPLAYS

The fact that a transmitter failed or that it needs attention must
be indicated both locally and in the control room in order to
bring this information to the operators attention. Fieldbus and
HART configuration tools allow for effective management of
failures, as was discussed in Section 1.6 of the first volume of
this handbook.
The local indicator on the transmitter can display status,
such as Bad, and can provide direct failure messages, such
as sensor burnout, both textually (Figure 3.9i) and symbolically (Figure 3.9j).
Health indication is very helpful for troubleshooting in
the field. For this reason it is a good idea to use transmitters
that are provided with local digital displays.

2006 by Bla Liptk

Usually, the operator in the control room is the first to

notice that invalid measurements or transmitter failures have
occurred. In order for the total process of transmitter selfchecking and validation to be fully effective, the chain, consisting of failure detection in the transmitter, transmission of
that information to the control system, and its presentation
for the operators, must be fully integrated (Figure 3.9k).
In addition to the displaying of the status on the faceplate,
any Uncertain or Bad status should also be logged and alarmed.
Once operators detect an invalid measurement they can initiate
the process that will determine the actual cause.
OPC (Object link embedding for Process Control) is a
key technology serving to get data to the operators workstations in the control room. This software architecture was
described in Section 5.4 of the third volume of this handbook.
It is recommended to use OPC in conjunction with HART
or FOUNDATION Fieldbus.
Portable and Handheld Displays
On the displays of handheld tools, technicians can see the
detailed diagnostics of the transmitter. In the case of HART

564

Transmitters and Local Controllers

TABLE 3.9h
Types and Descriptions of Universal Fieldbus Errors
Error

Description

Block configuration error

One or more parameters are wrongly configured, preventing the

block from operating properly. The measurement may be invalid.

Link configuration error

One or more of the links for the block are wrongly configured.

Simulate is active (enabled)

For the resource block this means that simulation is permitted for
the transmitter inputs. In an analog input it means that the input
is actually being simulated and does not represent the actual
measurement.

In Local Override (LO) mode

The block is in local override mode.

Device fault state is forced

Fail safe is forced in the device.

Device needs maintenance soon

The predictive diagnostics in the device indicates that it may soon

be in need of service. The device may e.g., require calibration,
cleaning, or some other service.

Input failure

The measurement has failed. The measurement may not be valid.

Output failure

The output has failed.

Memory failure

The device has a problem with one or more of its memories.

Lost static data

The device has lost its configuration. The measurement may be

affected.

Lost nonvolatile data

The device has lost its configuration. The measurement may be

affected.

Readback check failed

The actual output may not match the desired output.

Device needs maintenance now

The predictive diagnostics in the device indicates that is now in

need of immediate service. The device may e.g., require
calibration, cleaning, or some other service.

Powering up

The device is starting up

In Out-of-Service (OOS) mode

The mode of the block is set Out-of-Service.

Others

Additional device-specific status is available in other parameters.

systems, the portable handheld tool is brought out into the

field and is connected at the transmitter (Figure 3.9l).
In a Fieldbus system the technician can drill down into
the transmitter the detailed diagnostics information that can
be helpful in the troubleshooting effort. Because the communication in Fieldbus systems is always on, there is no need
to locate and connect a handheld tool to obtain the diagnostics;

they are available from the engineering station at any time

(Figure 3.9m).
FOUNDATION Fieldbus transmitters are provided with more
diagnostics, and the information provided is easier to access
from the control room. These extensive diagnostics and the
effective reporting of measurement validity are primary reasons for choosing Fieldbus.

PV

FIG. 3.9i
Failure message provided textually in a temperature transmitter
display. (Courtesy of SMAR.)

2006 by Bla Liptk

FIG. 3.9j
Failure message provided symbolically in a pH transmitter display.
(Courtesy of Mettler-Toledo.)

3.9 Transmitters: Self-Checking and Self-Validating

565

To effectively manage large numbers of installed transmitters and other instruments, the Fieldbus and HART network
infrastructure should be complemented with powerful online
plant asset management (OPAM) software (Figure 3.9n).
If the asset management software is Web-based, the
maintenance system can securely be connected to the enterprise-wide intranet or the public Internet using appropriate
firewalls and other means of protection. This permits diagnostics to be carried out from just about anywhere where it
is possible to establish an Internet connection. For example,
experts can access it from their homes, or access can be
granted to the manufacturers support center.
ACTING ON THE DIAGNOSTIC DATA

FIG. 3.9k
On the faceplate of the controller, next to the values of setpoint
(SP), process variable (PV), and output signal, the letter G
displays the good status of the complete system.

FIG. 3.9l
The transmitter diagnostics information, which is presented on a
HART handheld tool display.

FIG. 3.9m
The transmitter diagnostics information, which is presented on a
Fieldbus software-supported display.

2006 by Bla Liptk

It is not possible to control a process if the transmitted information is invalid or Bad. However, it may be possible to
maintain control while using uncertain measurements, such
as readings that are slightly out of range. In general, plant
safety is improved if transmitter self-diagnostics are utilized
to improve the validity of measurements.
Failsafe and Alarm Actions
Even the simplest analog control loop can be designed to fail
safely. For example, in case of level control, a failsafe transmitter will generate a high analog output (say 21 mA), if the
sensor fails. Therefore, the controller or alarm system will
interpret a 21-mA signal the same as if the tank is overfilled
and thus will automatically close the filling valve.
Sophisticated DCS and PLC may interpret NAMUR NE43 signal levels and thus determine if signal quality is Good,
Uncertain, or Bad.
HART communication is too slow for closed-loop control
or shutdown interlocks and therefore both controls and alarms
utilize 4- to 20-mA analog signals.
Converters exist that can tap the HART communication
from the signal lines and can activate relays in case of failure.
Such relays can tie to control systems, which do not communicate HART but do need to know the transmitter status.
In a Fieldbus-based control system, safe loop action is
part of the IEC 61804-1 function block diagram language for
building control strategies, which is an integral part of the
FOUNDATION Fieldbus system architecture. Values communicated between function blocks, such as from an analog input
(AI) block in a transmitter to a PID block in a control valve
positioner, are accompanied by their status.
A Bad measurement status from the transmitter can
automatically switch the loop to a manual mode of operation
or optionally, the PID control block can bring the control
valve to its predetermined safe position (Figure 3.9o).
An advantage of the Fieldbus function block language is
that the interlocks are built into the control blocks. Therefore
there is no need to configure and validate additional logic to
implement the interlocks. Moreover, because Fieldbus is a
standard, the interlocks work across all devices conforming

566

Transmitters and Local Controllers

FIG. 3.9n
Transmitter diagnostics using Web-based asset management (OPAM) software.

IFS
Bad

AI

Man

PID

LO

AO

FSA

FIG. 3.9o
TM
Status and operating mode propagation in a FOUNDATION fieldbus
control system, using function block language.

languages. This can ensure that the measurement validity and

other status information is propagated throughout the control
strategy and not lost along the way.
Within the fieldbus PID block it is possible to set whether
the status Uncertain shall be treated as Good or as Bad.
This makes it possible to be selective when balancing production availability against plant safety on a loop-by-loop
basis. For loops that require high availability, an uncertain
status is configured as good, thus permitting control to continue under such conditions. For loops where safety is the
primary concern, the uncertain status can be treated as bad,
thus shutting the loop down.

Reference
to the standard. Therefore it is advisable to use transmitters,
valve positioners, and central controllers that are based on
the FOUNDATION fieldbus blocks rather than using proprietary

2006 by Bla Liptk

1.

Berge, J., Fieldbuses for Process ControlEngineering, Operation,

and Maintenance, Research Triangle Park, NC: ISA, 2002.