GMI D1054S, Instruction & Safety Manual

Page: 7 / 13

7
D1054 - SIL 2 Repeater Power Supply and Trip Amplifiers G.M. International ISM0067-18
Functional Safety Manual and Application
Application for D1054S , passive input and 4-20 mA analog current output
Failure category Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures 125.61
λ
du
= Total Dangerous Undetected failures 45.02
λ
sd
= Total Safe Detected failures 0.00
λ
su
= Total Safe Undetected failures 112.01
λ
tot safe
= Total Failure Rate (Safety Function) = λ
dd
+ λ
du
+ λ
sd
+ λ
su
282.64
MTBF (safety function, single channel) = (1 / λ
tot safe
) + MTTR (8 hours) 404 years
λ
no effect
= “No Effect” failures 212.86
λ
not part
= “Not Part” failures 229.60
λ
tot device
= Total Failure Rate (Device) = λ
tot safe
+ λ
no effect
+ λ
not part
725.10
MTBF (device) = (1 / λ
tot device
) + MTTR (8 hours) 157 years
λ
sd
λ
su
λ
dd
λ
du
DC SFF
0.00 FIT 112.01 FIT 125.61 FIT 45.02 FIT 73.62% 84.07%
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
D1054S
Supply
12-24 Vdc
3 +
4 -
14
15
In 1
16
+
-
?
I
2 Wire Tx
Current Source
1 +
2 -
Out 1
Safety
PLC
Input
5
6
7
8
Alarm A
Alarm B
Not used for functional safety purpose.
Description:
For this application, enable 4 - 20 mA Source mode (see pages 12 and 13 for more information).
The module is powered by connecting 12-24 Vdc power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of supply power.
Passive input signal from 2 wires Tx is applied to Pins 14-15.
Source output current is applied to Pins 1-2. Alarm A and Alarm B Outputs are not used for functional safety purpose.
Safety Function and Failure behavior:
D1054S is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour of module (only the 4 - 20 mA current output configuration is used for safety application) is described from the following definitions:
 Fail-Safe State: is defined as the output going to 0 mA due to module shutdown.

Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.

Fail Dangerous: failure mode that does not respond to a demand from the process or deviates the output current by more than 3 % (± 0.5 mA) of full span.

Fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA). Assuming that the application program in the Safety logic solver is
configured to detect High failure, this failure has been classified as a dangerous detected (DD) failure.

Fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA). Assuming that the application program in the Safety logic solver is
configured to detect Low failure, this failure has been classified as a dangerous detected (DD) failure.

Fail Dangerous Detected: it’s a dangerous failure which has been detected from module internal diagnostic so that output signal is forced below the minimum output current
< 4 mA (as Fail Low) or above the maximum output current > 20mA (as Fail High).

Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account.

Fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account.
As the module has been evaluated in accordance with Route 2H (proven-in-use) of the IEC 61508:2010, Diagnostic Coverage DC ≥ 60% is required for Type B elements.
Being HFT = 0, in Low Demand mode the maximum achievable functional safety level is SIL 2.
Failure rate date: taken from Siemens Standard SN29500.
where DC means the diagnostic coverage for the input sensor by module internal diagnostic circuits and by Safety logic solver. This type “B” system, operating in Low Demand mode
with HFT = 0, has got DC = 73.62 %
≥ 60 % as required by Route 2H evaluation (proven-in-use) of the IEC 61508:2010.
T[Proof] = 1 year T[Proof] = 5 years
PFDavg = 1.99 E-04 Valid for SIL 2 PFDavg = 9.95 E-04 Valid for SIL 2
PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤ 10% of total SIF dangerous failures:
T[Proof] = 10 years
PFDavg = 1.99 E-03 Valid for SIL 2
SC 2: Systematic capability SIL 2.