GM International D5014D, Instruction Manual

Page: 11 / 11

11
D5014 - SIL 3 Repeater Power Supply G.M. International ISM0103-3
SIL Applications
D5014S and D5014D Repeater Power Supplies, with Active and Passive Input
• Safety function
The failure behaviour when output current range is 4 to 20 mA is described from the following definitions, which are equal for two different operating mode (active and passive input):
□ fail-Safe State: is defined as the output going to fail low or high;
□ fail Safe: failure mode that causes the module to go to the defined fail-safe state without a demand from the process;
□ fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state) or deviates the output current by
more than 5 % (0.8 mA) of full span;
□ fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA);
□ fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA);
□ fail “No Effect”: failure mode of a component that is part of the safety function but that has no effect on the safety function or deviates the output current by
not more than 5 % (0.8 mA) of full span. For the calculation of the SFF it is considered a safe undetected failure;
□ fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account. It is also not considered for the total failure rate (safety function) evaluation;
□ fail “Not considered”: failure mode not associated to the previous categories and divided in the 50 % safe failures and 50 % dangerous undetected failures.
Assuming that the application program in the safety logic solver is configured to detected under-range (Low) and over-range (High) failures and does not automatically trip on these
failures, these failures have been classified as dangerous detected (DD) failures. The following PFDavg values have been calculated for different T[Proof] test intervals using the
Markov model for 1oo1D architecture system, considering that the safety logic solver can convert the fail dangerous detected to the selected fail-safe state.
• The 2 channels of D5014D module could be used to increase the hardware fault tolerance, needed for a higher SIL of a certain Safety Function, as they are completely independent
each other, not containing common components. In fact, the analysis results got for D5014S (single channel) are also valid for each channel of D5014D (double channel).
• Failure rates table:
Failure category Failure rates (FIT) - Active Input
λ
dd
= Total Dangerous Detected failures = λ
dd int.
+ λ
high
+ λ
low
151.64
ª
λ
dd int.
= Dangerous Detected failures (detected by diagnostics) 20.20
ª λ
high
= High failures (detected by the logic solver) 30.06
ª λ
low
= Low failures (detected by the logic solver) 101.38
λ
du
= Total Dangerous Undetected failures = λ
du int.
+ 50% * λ
not considered
21.44
ª λ
du int.
= Dangerous Undetected failures 21.36
ª
50% * λ
not considered
= “Not considered” or “undefined” failures 0.08
λ
sd
= Total Safe Detected failures 0.00
λ
su
= Total Safe Undetected failures = λ
no effect
+ 50% * λ
not considered
183.92
ª λ
no effect
= “No Effect” failures 183.84
ª 50% * λ
not considered
= “Not considered” or “undefined” failures 0.08
λ
tot safe
= Total Failure Rate (Safety Function) = λ
dd
+ λ
du
+ λ
sd
+ λ
su
357.00
λ
not part
= “Not Part” failures 5.80
λ
tot device
= Total Failure Rate (Device) = λ
tot safe
+ λ
not part
362.80
MTBF (single channel) = (1 / λ
tot device
) + MTTR (8 hours)
314 years
Failure rates (FIT) - Passive Input
140.70
20.20
30.24
90.26
20.72
20.64
0.08
0.00
179.58
179.50
0.08
341.00
21.80
362.80
314 years
MTTF
S
(Total Safe) = 1 / ( λ
sd
+ λ
su
) 620 years 635 years
MTTF
D
(Dangerous) = 1 / λ
du
5324 years 5509 years
•
Failure rates table according to IEC 61508:
λ
sd
λ
su
λ
dd
λ
du
SFF DC
s
DC
d
0.0 FIT 183.92 FIT 151.64 FIT 21.44 FIT 93.99% 0% 87.61%
0.0 FIT 179.58 FIT 140.70 FIT 20.72 FIT 93.92% 0%
87.16%
Active Input
Passive Input
• PFDavg vs T[Proof] table, with determination of SIL supposing module contributes 10% of entire safety function:
T[Proof] = 1 year T[Proof] = 10 years
PFDavg = 9.39 E-05
Valid for SIL 3
PFDavg = 9.39 E-04
Valid for SIL 2
PFDavg = 9.08 E-05
Valid for SIL 3
PFDavg = 9.08 E-04
Valid for SIL 2
Active Input
Passive Input
• PFDavg vs T[Proof] table, with determination of SIL supposing module contributes 20% of entire safety function:
T[Proof] = 2 years T[Proof] = 20 years
Active Input
PFDavg = 1.88 E-04
Valid for SIL 3
PFDavg = 1.88 E-03
Valid for SIL 2
Passive Input
PFDavg = 1.82 E-04
Valid for SIL 3
PFDavg = 1.82 E-03
Valid for SIL 2