9
D1054
- SIL 2 Repeater Power Supply and Trip Amplifiers
G.M. International ISM0067-18
Functional Safety Manual and Application
Application for D1054S , passive input and 1oo2 architecture of alarm trip amplifiers with relay outputs for NE load
D1054S
Supply
12-24 Vdc
3 +
4 -
Current or Voltage Source
1 +
2 -
Out 1
Safety
PLC
Input
5
6
7
8
Alarm A
Alarm B
Not used for functional safety purpose.
or NE load driving
+/AC line load
-/AC line load
NE load
14
15
In 1
16
+
-
?
I
2 Wire Tx
Description:
For this application, enable both alarm A and B trip amplifiers programmed with equal configuration, using NE relay condition (see pages 12 and 13 for more information).
The module is powered by connecting 12-24 Vdc power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of supply power.
Passive input signal from 2 wires Tx is applied to Pins 14-15.
Relay contacts of Alarm A and Alarm B Outputs must be connected in series: Pins 6-7 are connected together by external wired jumper. Therefore between Pins 5-8 there are 2 relay
contacts in 1oo2 series architecture which could be connected to safety PLC input or used to driving a NE load. In this case, relays are normally energized, their contacts are closed
and load is normally energized; in case of alarm, the system de-energized to trip, so that relays are de-energized, contacts are open and load is de-energized.
To prevent relay contacts from damaging, connect an external protection (fuse or similar), chosen according to the relay breaking capacity (see page 2 for relay contact rating).
Analog (current or voltage) output is not used for functional safety purpose.
Safety Function and Failure behavior:
D1054S is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour of module (only Alarm A and Alarm B trip amplifiers is used for safety application) is described from the following definitions:
Fail-Safe State: it’s defined as the relay outputs being de-energized or relay contacts remaining open (user must program for both alarm amplifiers the same trip point value, in
accordance with input measured value, at which both output relays must be de-energized).
Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
Fail Dangerous: failure mode that leads to a measurement error of more than 3 % of correct value and therefore has the potential to not respond to a demand from the process
(i.e. being unable to go to the defined Fail-Safe state), so that the output relays remain energized or relay contacts remain closed.
Fail Dangerous Detected: a dangerous failure which has been detected from module internal diagnostic so that output relays are forced to be de-energized (that is to Fail-Safe
state), with relay contacts open.
Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account.
Fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account.
Both alarm A and B trip amplifiers must be programmed with equal configuration (the same trip values).
As the module has been evaluated in accordance with Route 2H (proven-in-use) of the IEC 61508:2010, Diagnostic Coverage DC
≥
60% is required for Type B elements.
Being HFT = 0, in Low Demand mode the maximum achievable functional safety level is SIL 2.
Failure rate date: taken from Siemens Standard SN29500.
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
85.69
λ
du
= Total Dangerous Undetected failures
33.79
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
212.80
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
332.28
MTBF (safety function, 1oo2 alarm channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
344 years
λ
no effect
= “No Effect” failures
256.82
λ
not part
= “Not Part” failures
136.00
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
725.10
MTBF (device) = (1 /
λ
tot device
) + MTTR (8 hours)
157 years
λ
sd
λ
su
λ
dd
λ
du
DC
0.00 FIT
212.80 FIT
85.69 FIT
33.79 FIT
71.72%
SFF
89.83%
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
where DC means the diagnostic coverage for the input sensor by module internal diagnostic circuits. This type “B” system, operating in Low Demand mode with HFT = 0,
has got DC = 71.72 %
≥
60 % as required by Route 2H evaluation (proven-in-use) of the IEC 61508:2010.
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 1.49 E-04
Valid for
SIL 2
PFDavg = 8.94 E-04
Valid for
SIL 2
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
T[Proof] = 10 years
PFDavg = 1.49 E-03
Valid for
SIL 2
SC 2: Systematic capability SIL 2.
