6
D1054
- SIL 2 Repeater Power Supply and Trip Amplifiers
G.M. International ISM0067-18
Functional Safety Manual and Application
Application for D1054S , active input and 4-20 mA analog current output
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
105.54
λ
du
= Total Dangerous Undetected failures
42.58
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
112.15
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
260.27
MTBF (safety function, single channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
439 years
λ
no effect
= “No Effect” failures
195.43
λ
not part
= “Not Part” failures
269.40
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
725.10
MTBF (device) = (1 /
λ
tot device
) + MTTR (8 hours)
157 years
λ
sd
λ
su
λ
dd
λ
du
DC
SFF
0.00 FIT
112.15 FIT
105.54 FIT
42.58 FIT
71.25%
83.64%
T[Proof] = 1 year
T[Proof] = 5 years
PFDavg = 1.88 E-04
Valid for
SIL 2
PFDavg = 9.40 E-04
Valid for
SIL 2
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
Safety Function and Failure behavior:
D1054S is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour of module (only the 4 - 20 mA current output configuration is used for safety application) is described from the following definitions:
Fail-Safe State: is defined as the output going to 0 mA due to module shutdown.
Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
Fail Dangerous: failure mode that does not respond to a demand from the process or deviates the output current by more than 3 % (± 0.5 mA) of full span.
Fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA). Assuming that the application program in the Safety logic solver is
configured to detect High failure, this failure has been classified as a dangerous detected (DD) failure.
Fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA). Assuming that the application program in the Safety logic solver is
configured to detect Low failure, this failure has been classified as a dangerous detected (DD) failure.
Fail Dangerous Detected: it’s a dangerous failure which has been detected from module internal diagnostic so that output signal is forced below the minimum output current
< 4 mA (as Fail Low) or above the maximum output current > 20mA (as Fail High).
Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account.
Fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account.
As the module has been evaluated in accordance with Route 2H (proven-in-use) of the IEC 61508:2010, Diagnostic Coverage DC
≥
60% is required for Type B elements.
Being HFT = 0, in Low Demand mode the maximum achievable functional safety level is SIL 2.
Failure rate date: taken from Siemens Standard SN29500.
Description:
For this application, enable 4 - 20 mA Source mode (see pages 12 and 13 for more information).
The module is powered by connecting 12-24 Vdc power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of supply power.
Active input signal from external powered Tx is applied to Pins 15-16.
Source output current is applied to Pins 1-2. Alarm A and Alarm B Outputs are not used for functional safety purpose.
T[Proof] = 10 years
PFDavg = 1.88 E-03
Valid for
SIL 2
D1054S
Supply
12-24 Vdc
3 +
4 -
14
15
In 1
16
+
External
Powered Tx
-
Current Source
1 +
2 -
Out 1
Safety
PLC
Input
5
6
7
8
Alarm A
Alarm B
Not used for functional safety purpose.
where DC means the diagnostic coverage for the input sensor by module internal diagnostic circuits and by Safety logic solver. This type “B” system, operating in Low Demand mode
with HFT = 0, has got DC = 71.25 %
≥
60 % as required by Route 2H evaluation (proven-in-use) of the IEC 61508:2010.
SC 2: Systematic capability SIL 2.
