6
D1093
- SIL 3 Relay Output Module with Line and Load diagnostics
G.M. International ISM0093-12
Application for D1093S - Normally De-energized relay condition for ND Load
Functional Safety Manual and Applications
Energized to trip operation
Normal state operation
Description:
Input Signal from PLC/DCS is normally Low (0 Vdc) and is applied to pins 13-14 in order to Normally De-energize (ND) the internal relays.
Input Signal from PLC/DCS is High (24 Vdc) during “Energize to trip” operation, in order energize the internal relays.
The Load is Normally De-energized (ND), therefore its safe state is to be energized.
Disconnection of the ND Load is done on only one supply line.
Service load (connected between 5 - 6 pins) can be used to monitoring contacts 3 - 7.
The following table describes the status (open or closed) of each output contact when the input signal is High or Low.
Safety Function and Failure behavior:
D1093S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In this Functional Safety application, the normal state operation of relay module is de-energized, with ND (Normally De-energized) load.
In case of alarm or request from process, the relay module is energized (safe state), energizing the load.
The failure behaviour of the relay module is described by the following definitions:
□
fail-Safe State: it is defined as the output load being energized;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),
so that the output load remains de-energized.
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
When calculating the SFF this failure mode is not taken into account.
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;
When calculating the SFF this failure mode is not taken into account.
Failure rate date: taken from Siemens Standard SN29500.
Failure rate table:
Failure rates table according to IEC 61508:2010 Ed.2 :
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 90%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 90%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
Systematic capability SIL 3.
Operation
Input Signal
Pins 13-14
Pins
1 - 5
Pins
2 - 6
Service Load
Pins 5 - 6
Pins
3 - 7
ND Load (SIL3)
Pins 7 - 8
Normal
Low (0 Vdc)
Open
Open
De-Energized Open De-Energized
Trip
High (24 Vdc)
Closed Closed
Energized Closed Energized
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
2.35
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
96.00
λ
tot safe
=
Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
98.35
MTBF (Safety Function, single channel) = (1 /
λ
tot safe
) + MTTR
1160 years
λ
no effect
= “No Effect” failures
231.85
λ
not part
= “Not Part” failures
301.40
λ
tot device
=
Total Failure Rate (Device)
=
λ
tot safe
+
λ
no effect
+
λ
not part
631.60
MTBF (Device, single channel) = (1 /
λ
tot device
) + MTTR
180 years
T[Proof] = 1 year
T[Proof] = 9 years
PFDavg = 1.03 E-05 - Valid for
SIL 3
PFDavg = 9.27 E-05 - Valid for
SIL 3
T[Proof] = 20 years
PFDavg = 2.06 E-04 - Valid for
SIL 2
5
1
7
3
2
6
4
8
PLC
Output ON
24 Vdc
Internally
connected
5
1
7
3
2
6
4
8
PLC
Output OFF
0 Vdc
Internally
connected
SIL 3
Load
Service Load
(not for Safety
Function purpose)
SIL 3
Load
Service Load
(not for Safety
Function purpose)
+ / AC Load Line
- / AC Load Line
+ / AC Load Line
- / AC Load Line
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
96.00 FIT
0.00 FIT
2.35 FIT
97.61%
