MTL4500/MTL5500 Series

SAFETY MANUAL Analogue Input Modules

MTLx541, MTLx541S, MTLx544, MTLx544S, MTLx544D

FUNCTIONAL SAFETY MANAGEMENT

These products are for use as a sub-system within a
Safety System conforming to the requirements of
IEC 61508:2010 and enable a Safety Integrity Level
of up to SIL2 to be achieved for the instrument loop
in a simplex architecture.

SIL
2

IEC 61508:2010

SIL
2

IEC 61508:2010

Contents
1 INTRODUCTION

1.1 Application and function

1.2 Variant Description

2 System Configuration

2.1 Associated System Components

3 Selection of product and implications

4 Assessment of functional safety

4.1 EMC

4.2 Environmental

5 Installation

6 Maintenance

7 Appendices

7.1 Appendix A: Summary of applicable

standards 8
7.2 Appendix B : Proof Test Procedure,
MTL45/5500 Digital Input Modules

This manual supports the application of the products in functional-safety related loops. It must be used in
conjunction with other supporting documents to achieve correct installation, commissioning and operation.
Specifically, the data sheet, instruction manual and applicable certificates for the particular product should be
consulted, all of which are available on the MTL web site.
In the interest of further technical developments, we reserve the right to make design changes.

PAGE 2

www.mtl-inst.com

[email protected]

INTRODUCTION

1.1

Application and function

SIL

The analogue input modules, MTLx541 (single channel) and MTLx544 (dual channel) are intrinsic safety isolators that
interface with process measurement transmitters located in a hazardous area of a process plant. They are also designed
and assessed according to IEC 61508 for use in safety instrumented systems up to SIL2.
Each module provides a fully-floating dc supply for energising conventional 2-wire or 3-wire process transmitters while
repeating the current flowing in the field loop into another floating circuit to drive the safe area load. The MTLx544D
repeats the current flowing in a single field loop into two isolated safe area loads. For smart 2-wire transmitters using
the HART protocol the units allow bi-directional communications superimposed on the 4/20mA signal current. There are
no configuration switches or operator controls to be set on the module.
These modules are members of the MTL4500 and MTL5500 Series of products.

MTL4500 AND MTL5500 SERIES

1.2

Variant Description

Functionally the MTL4500 and MTL5500 Series modules are the same but differ in the following way:
- the MTL4500 modules are designed for backplane mounted applications
- the MTL5500 modules are designed for DIN-rail mounting.
In both models the hazardous area field-wiring connections (terminals 1-3, and 4-6) are made through the removable blue
connectors, but the safe area and power connections for the MTL454x modules are made through the connector on the
base, while the MTL554x uses the removable grey connectors on the top and side of the module.
Note that the safe-area connection terminal numbers differ between the backplane and the DIN-rail mounting models.

The analogue input models covered by this manual are:

MTL4541 and MTL5541
single channel, safe area current source
MTL4544 and MTL5544
dual channel, safe area current source
MTL4541S and MTL5541S
single channel, safe area current sink
MTL4544S and MTL5544S
dual channel, safe area current sink
MTL4544D and MTL5544D
single channel, two safe area current source outputs
Note: To avoid repetition, further use of MTLx54x in this document can be understood to include both DIN-rail and
backplane models. Individual model numbers will be used only where there is a need to distinguish between them.
Note: The MTL4541B is a version of the standard MTL4541 which has the negative terminal of the safe area current
output internally connected to the negative terminal of the power supply to simplify replacement of older MTL4041B and
MTL4041B-SR items. For a functional safety application the assessment is the same as for the MTL4541.

PAGE 3

All the analogue input modules have the same connectivity for the field signals, supporting two- and three-wire process transmitters,
as well as accepting signals from separately powered current sources. The connection of the repeated current signals into the
input measurement channels for the safety logic system follows the arrangement shown in the following diagram. When the input
channels of the SIS are providing power for the loop, the S variants of the isolator modules are used to sink the measuring
current. In the other cases the isolator modules source the measuring current that flows into a load resistor inside the SIS.
Field wiring

MTLx541

MTLx541S

(Current
source)

2-wire Transmitter

(Current
sink)

SIS - passive input

24V

2
Load
0V

SIS - 2-wire input

A

Current
limiter

24V

Load
Pwr

3-wire Transmitter

24V

Pwr 2

1
3

0V

4-wire Transmitter
or current source

1
3

24V
B

1
3

24V

B
0V

Pwr

Pwr

Pwr

0V

Pwr

0V

24V

0V

Pwr

Pwr

Output pins (A, B)

MTL4541/S: A = 8 B = 9

MTL5541/S: A = 11 B = 12

Figure 1.1 - Analogue Input Connections

System Configuration

An MTLx54x module may be used in single-channel (1oo1) safety functions up to SIL2.

The figure below shows the system configuration and specifies detailed interfaces to the safety related and non safety-related
system components. It does not aim to show all details of the internal module structure, but is intended to support understanding
for the application.
MTLx541 - 1ch
(MTLx544 - 2ch)

+vs

vs

2-wire
Ch1

3-wire

+ve

20 to 35V dc
14

13

3
8

Ch2

ve

+ve

PLC
(Safety
related)

12

6
11

I
4

POWER
SUPPLY
(Not safety
related)

PLC
(Safety
related)

ve

Figure 2.1 - Analogue Input module system configuration - see the Note in the text regarding use of dual channel modules.

SIL
2

IEC 61508:2010

PAGE 4

www.mtl-inst.com

[email protected]

The MTLx54x modules are designed to power process transmitters in the hazardous area and to repeat the current
flowing in the field loop to the safe-area load. The shaded area indicates the safety-related system connection,
while the power supply connections are not safety-related. For simplicity the term PLC has been used to denote
the safety system performing the monitoring function of the process loop variable.

SIL

Note: When using the MTLX544 dual-channel modules, it is not appropriate for both channels to be used in the
same loop, or the same safety function, as this creates concerns of common-cause failures. Consideration must
also be made of the effect of common-cause failures when both loops of a dual-channel module are used for
different safety functions. A similar concern applies to the MTLX544D where only one of the output channels can
be used in a safety loop, not both channels.
2.1

Associated System Components

There are many parallels between the loop components that must be assessed for intrinsic safety as well as
functional safety. In both situations the contribution of each part is considered in relation to the whole.
The MTLx54x module is a component in the signal path between safety-related process transmitters and safetyrelated control systems.
The transmitter or other field device must be suitable for the process and have been assessed and verified for use
in functional safety applications.
The instrumentation or control equipment shall have a current input with a normal operating range of 4-20mA
but capable of working over the extended range of 3 to 22mA for under- and over-range. It shall have the ability
to detect and signal input currents higher than the threshold of 21mA and lower than the threshold of 3.6mA to
determine out-of-range conditions.
The transmission of HART data is not considered as part of the safety function and is excluded from this analysis.
However, for HART data communication to take place then the input impedance of the equipment must be at least
240ohms.

Selection of product and implications

The output signal from the MTLx54x is within the operating range of 4-20mA under normal conditions.
If the field wiring to the transmitter or connection between the isolator and logic solver is open-circuit then the
loop current will fall to less than 3.6mA and close to zero. If the field wiring is short circuit then the loop current
will rise to a value greater than 21mA.
For the modules that source the current in the safe area circuit, i.e. MTLX541/44/44D, then if the connection
between the isolator and logic solver is shorted, the current seen by the logic solver will be less than 3.6mA and
close to zero. For the MTLX541S/44S modules that control the current supplied by the logic solver input, if the
connection between the isolator and logic solver is shorted, the current seen by the logic solver will rise to a value
greater than 21mA. In both cases, the fault condition should be detected by the logic solver. This includes power
supply failures which cause the output of the isolator to fall to zero mA.
Using a process transmitter and logic controller, as defined in section 2, with an MTLx54x then a system-loop can
be implemented that applies functional safety together with intrinsic safety to meet the requirements of protection
against explosion hazards. The transfer of HART communications through the isolator is not considered as part of
the safety function of the isolator.
It should be recognised that the systematic capability of the products limits their application to SIL2 loops.

PAGE 5

Assessment of functional safety

The design features and the techniques/measures used to avoid systematic faults permit the use of the MTLx54x modules in
instrument loops implementing safety functions up to SIL2 in a simplex architecture.
The hardware assessment shows that MTLx54x Repeater Power Supplies:
have a hardware fault tolerance of 0
are classified as Type A devices (non-complex component with well-defined failure modes)
there are no internal diagnostic elements of these products.
The definitions for product failure of the modules at an ambient temperature of 45C are as follows:Failure mode

Failure rate (FIT)

MTLx544 MTLx544S

MTLx541

MTLx541S

16

16

Output current <3.6mA (downscale)

203

210

238

243

227

Output current within range but >2% in error

17

19

20

21

22

Output current correct within 2%

116

120

131

141

153

Output current >21mA (upscale)

MTLx544D

(FITs means failures per 10 9 hours or failures per thousand million hours)

Reliability data for this analysis is taken from IEC TR 62380:2004 Reliability Data Handbook.
Failure mode distributions are taken principally from IEC 62061:2005 Safety of Machinery.

It is assumed that the module is powered from a nominal 24V dc supply and operating at a maximum ambient temperature of
45C.
Example of use in a safety function
In this example, the application context is assumed to be:
the safety function is to repeat current within 2%
the logic solver will diagnose currents above 21mA and below 3.6mA as faults and take appropriate action
The failure modes shown above can then be defined as:
Failure mode

Category

Output current >21mA (upscale)

Dangerous detected, ldd

Output current <3.6mA (downscale)

Dangerous detected, ldd

Output current within range but >2% in error

Dangerous undetected, ldu

Output current correct within 2%

Safe undetected, lsu

The failure rates of the MTLx541 for these categories are then (FITs):
Model
MTL4541 or MTL5541

lsd

lsu

ldd

ldu

116

210

17

In this example, the safe failure fraction is 95%.

Note, as previously stated, the design features and the techniques/measures used to prevent systematic faults are suitable for the
use of the MTLx541 in an instrument loop implementing safety functions up to SIL2 in a simplex architecture.

SIL
2

IEC 61508:2010

PAGE 6

www.mtl-inst.com

[email protected]

4.1

EMC

The MTL4500 and MTL5500 modules are designed for operation in normal industrial electromagnetic environment
but, to support good practice, modules should be mounted without being subjected to undue conducted or radiated
interference, see Appendix A for applicable standards and levels.
4.2

SIL

Environmental

The MTL4500 and MTL5500 modules operate over the temperature range from -20C to +60C, and at up to
95% non-condensing relative humidity.
The modules are intended to be mounted in a normal industrial environment without excessive vibration, as
specified for the MTL4500 & MTL5500 product ranges. See Appendix A for applicable standards and levels.
Continued reliable operation will be assured if the exposure to temperature and vibration are within the values
given in the specification.

Installation

There are two particular aspects of safety that must be considered when installing the MTL4500 or MTL5500
modules and these are:

Functional safety

Intrinsic safety

Reference must be made to the relevant sections within the instruction manual for MTL4500 Series (INM4500)
or MTL5500 Series (INM5500) which contain basic guides for the installation of the interface equipment to meet
the requirements of intrinsic safety. In many countries there are specific codes of practice, together with industry
guidelines, which must also be adhered to.
Provided that these installation requirements are followed then there are no additional factors to meet the needs
of applying the products for functional safety use.
To guard against the effects of dust and water the modules should be mounted in an enclosure providing at
least IP54 protection degree, or the location of mounting should provide equivalent protection such as inside an
equipment cabinet.
In applications using MTL4500 Series, where the environment has a high humidity, the mounting backplanes
should be specified to include conformal coating.

Maintenance

To follow the guidelines pertaining to operation and maintenance of intrinsically safe equipment in a hazardous
area, yearly periodic audits of the installation are required by the various codes of practice.
In addition, proof-testing of the loop operation to conform with functional safety requirements should be carried
out at the intervals determined by safety case assessment.
Proof testing must be carried out according to the application requirements, but it is recommended that this be
carried out at least once every three years.
Refer to Appendix B for the proof testing procedure of the MTL4500 or MTL5500 modules.
Note that there may also be specific requirements laid down in the E/E/PE operational maintenance procedure for
the complete installation.
If an MTL4500 or MTL5500 module is found to be faulty during commissioning or during the normal lifetime of
the product then such failures should be reported to MTL. When appropriate, a Customer Incident Report (CIR) will
be notified to enable the return of the unit to the factory for analysis. If the unit is within the warranty period then
a replacement unit will be sent.
Consideration should be made of the normal lifetime for a device of this type which would be in the region of ten years.

PAGE 7

Appendices

7.1

Appendix A: Summary of applicable standards and recommendations

This annex lists all standards referred to in the previous sections of this document:
IEC 61508:2010

Functional safety of electrical/electronic/programmable electronic

safety-related systems. Parts 1 and 2 as relevant

EN 61131-2:2003

Programmable controllers Part 2: Equipment requirement and tests

(EMC requirements)

EN 61326-1:2006

Electrical equipment for measurement, control and laboratory use

EMC requirements. (Criterion A)

IEC 61326-3-1:2008

Electrical equipment for measurement, control and laboratory use

EMC requirements Part 3-1: Immunity requirements for equipment
performing or intended to perform safety related functions (functional
safety) General industrial applications. (Criterion FS)

NE21 : 2007

Electromagnetic Compatibility of Industrial Process and Laboratory

Control Equipment. (Criterion A)

Lloyds Register Type Approval

System : 2002,
Test Specification Number 1.

Specifically vibration: 1.0mm displacement @ 5 to 13.2Hz and

0.7G acceleration @13.2Hz to 100Hz per IEC60068-2-6, test Fc

EN 60068-2-27

Environmental testing. Test Ea and guidance. Shock. (Criterion FS)

SIL
2

IEC 61508:2010

PAGE 8

www.mtl-inst.com

[email protected]

7.2

Appendix B : Proof Test Procedure, MTL45/5500 Analogue Input Modules

Confirmation, through testing, that a safety function will operate as designed, is a necessary periodic activity to
ensure that the probability of failure upon demand (PFDavg) is maintained.

SIL

In many safety applications, where practical, the user may well prefer that these proof tests are conducted on the
instrument loop as a whole, without dismantling or disconnecting the parts. This will help to ensure the integrity of
the installation is continued after commissioning, but the disturbance to plant operations may not be acceptable.
The tests given in this section of the manual will enable only the function of the isolator component of the safety
loop to be proved. Proof tests of the other components of the loop must be conducted at the requisite intervals to
maintain availability of the safety function. Alternative proof tests may be devised and applied provided they give
a similar level of test that is appropriate to the safety function.
The tests described here - see Figure 7.1 - compare the output current with the input current (A1) over the required
range of operation, and measure the error current i.e. the difference between the two - as indicated on A2.
The tests should be employed per channel, as appropriate.











Figure 7.1
Basic test
arrangement












Ammeter A2 must be capable of handling either polarity of signal. If it is not an auto-ranging instrument, set it to
a high range before switch on, then adjust sensitivity to obtain the required reading.
Proof Test Procedure
Test sequence:
1. System Normal operation test
2. Input/Output characteristic functional safety test.
3. System - Normal operation test
1. System - Normal operation test
Make sure that the module to be tested is operating normally in the target system, without errors and in energised
mode. If the module is in a faulty or de-energised loop, restore normal fault free and energised operation before
testing.
2. Input/Output characteristic functional safety test
Observe normal anti-static precautions when handling equipment during device testing.
Remove the unit from the target system and connect it, as appropriate, in the manner shown in Figure 7.2. Please
note, that it is also acceptable to leave the unit in the target system but only after ensuring that the terminals 1, 2,
3, 8 and 9 or 11 and 12 are disconnected from the system and available for test. Alternatively, for the backplane
mounted MTL4500 series modules, a separate backplane can be used to facilitate access to the power and output
connections.
During testing, the power supply, Vs - nominal 24.0V, min/max. range 20.0 to 35.0V - should be connected
between terminals 13 and 14 (+ve to terminal 14).
PAGE 9

10kR

RV1

V1

A1

+
250R

Ch2
o/p

MTL554x

14(+)

V1

250R

A2

+
24V dc

1 2 3 4 5 6

Ch1
o/p

13()

A1

RV1

7 8 9 10 11 12

Ch2
i/p

10kR

Insert 250R and 24V

supply for MTLx54xS
modules, otherwise use
direct link to o/p(+)

24V dc

A2

1 2 3 4 5 6
Ch1
i/p

Ch1
i/p

VS

MTL5501-SR
MTL454x

13(-)
14(+)

Power
supply

VS

Ch2
i/p

Ch1
o/p

Ch2
o/p

14 13 12 11 1 0 9 8 7
+

Figure 7.2- Connections for testing the MTL554x and MTL454x modules
Measurements
Note: do not connect the voltmeter (V1 in Figure 7.2) across the module input terminals until requested in step 6 below, otherwise
the current measurements may be affected.
Make the following measurements and, it is recommended, record the results in a table such as that shown on the next page.
1.
2.
3.
4.
5.
6.
7.

Adjust resistor RV1 to vary the current (A1) through the range 4 to 20mA. (Tests 1 - 5 in table)
The measured current imbalance (A2) over this range should not exceed 50A.
Adjust RV1 to vary the current (A1) to 3.5mA and then 21.5mA. (Tests 6 & 7 in table)
The measured current imbalance (A2) at these currents should not exceed 200A
Adjust RV1 for a 20mA current reading on A1. (Test 8 in table)
The voltage V1 measured across the channel input should typically be 16.5V.
Record the supply voltage Vs.

If appropriate, repeat these measurements for Channel 2.

3. System - Normal operation test
Disconnect the test setup from the unit and reconnect the original system configuration. Make sure that the tested unit operates
normally in the target system, as before, without errors and in energised mode.

SIL
2

IEC 61508:2010

PAGE 10

www.mtl-inst.com

[email protected]

Date: _____/_____/__________

Supply voltage Vs: _____________V dc

Module type: _______________

Serial No.: __________________________

Channel 1
Test #: Description

Actual

SIL

Target

Current imbalance (A2) at loop current (A1) = 4mA

<50A

Current imbalance (A2) at loop current (A1) = 8mA

<50A

Current imbalance (A2) at loop current (A1) = 12mA

<50A

Current imbalance (A2) at loop current (A1) = 16mA

<50A

Current imbalance (A2) at loop current (A1) = 20mA

<50A

Current imbalance (A2) at loop current (A1) = 3.5mA

<200A

Current imbalance (A2) at loop current (A1) = 21.5mA

<200A

Input voltage (V1) at loop current (A1) = 20mA

~16.5V

Channel 2
Test #: Description

Actual

Target

Current imbalance (A2) at loop current (A1) = 4mA

<50A

Current imbalance (A2) at loop current (A1) = 8mA

<50A

Current imbalance (A2) at loop current (A1) = 12mA

<50A

Current imbalance (A2) at loop current (A1) = 16mA

<50A

Current imbalance (A2) at loop current (A1) = 20mA

<50A

Current imbalance (A2) at loop current (A1) = 3.5mA

<200A

Current imbalance (A2) at loop current (A1) = 21.5mA

<200A

Input voltage (V1) at loop current (A1) = 20mA

~16.5V

PAGE 11

GLOBAL LOCATIONS
ITALY
MTL Italia srl, Via A. Meucci 10
I - 20094 Corsico MI, Italy
Tel: + 39 (0)2 61802011 Fax: + 39 (0)2 61294560
E-mail: [email protected]

Tel: + 61 1300 308 374 Fax: + 61 1300 308 463

E-mail: [email protected]

SINGAPORE
Cooper Crouse-Hinds Pte Ltd
No 2 Serangoon North Avenue 5, #06-01 Fu Yu Building
Singapore 554911
Tel: + 65 6 645 9888 Fax: + 65 6 487 7997
E-mail: [email protected]

CHINA
Cooper Electric (Shanghai) Co. Ltd. Room 2001, China Life Tower,
16 Chao Yang Men Wai Street,
Chao Yang District, Beijing, China 100020

JAPAN
Cooper Crouse-Hinds Japan KK,
MT Building 3F
2-7-5 Shiba Daimon, Minato-ku,
Tokyo, Japan 105-0012

UNITED ARAB EMIRATES

MTL Instruments, Villa No. 4, Sector 2-17
Street 6, PO Box 53234
Abu Dhabi, UAE

Tel: + 86 10 5980 0231 Fax: + 86 10 8562 5725

E-mail: [email protected]

Tel: + 81 (0)3 6430 3128 Fax: + 81 (0)3 6430 3129

E-mail: [email protected]

Tel: + 971 2 446 6840 Fax: + 971 2 446 6841

E-mail: [email protected]

FRANCE
MTL Instruments sarl,
7 rue des Rosiristes, 69410 Champagne au Mont dOr
France

SOUTH KOREA
Cooper Crouse-Hinds Korea
12F, Vision Tower
707-2 Yeoksam-Dong Gangnam-Gu,
Seoul 135-080, South Korea.

UNITED KINGDOM
Measurement Technology Limited,
Great Marlings, Butterfield, Luton
Beds LU2 8DL

Tel: + 33 (0)4 37 46 16 53 Fax: + 33 (0)4 37 46 17 20

E-mail: [email protected]

Tel: + 82 2 538 3481 Fax: + 82 2 538 3505

E-mail: [email protected]

GERMANY
MTL Instruments GmbH, An der Gmpgesbrcke 17
D-41564 Kaarst, Germany

NETHERLANDS
MTL Instruments BV
Terheijdenseweg 465, 4825 BK Breda
The Netherlands

Tel: + 49 (0)2131 718930 Fax: + 49 (0)2131 7189333

E-mail: [email protected]

Tel: +31 (0) 76 7505360 Fax: +31 (0) 76 7505370

E-mail: mtl. [email protected]

INDIA
MTL India, No.36, Nehru Street
Off Old Mahabalipuram Road
Sholinganallur, Chennai - 600 119, India
Tel: + 91 (0) 44 24501660 /24501857 Fax: + 91 (0) 44 24501463
E-mail: [email protected]

www.mtl-inst.com

[email protected]

Tel: + 44 (0)1582 723633 Fax: + 44 (0)1582 422283

E-mail: [email protected]
Americas
Cooper Crouse-Hinds MTL Inc.
3413 N. Sam Houston Parkway W.
Suite 210, Houston TX 77086, USA
Tel: + 1 281-571-8065 Fax: + 1 281-571-8069
E-mail: [email protected]

ZL-B-SM45-55-AI-EN-0213

AUSTRALIA
MTL Instruments Pty Ltd, 205-209 Woodpark Road,
Smithfield, New South Wales 2164
Australia