6
D5037
- SIL 2 Switch/Proximity Detector Repeater Transistor Out
G.M. International ISM0270-3
Functional Safety Manual and Application
Application for D5037D
Safety Function and Failure behavior:
D5037D is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
The failure behavior is described from the following definitions :
□
Fail-Safe State: it is defined as the transistor output being open;
□
Fail Safe: failure mode that causes the module / (sub)system to go to the defined Fail-Safe state without a demand from the process;
□
Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined Fail-Safe state), so that the transistor output
remains closed;
□
Fail “No Effect”: failure mode of a component that plays a part in implementing the Safety Function but that is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account;
□
Fail “Not part”: failure mode of a component that is not part of the Safety Function but that is part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account.
The 2 channels of D5037D module must not be used to increase the hardware fault tolerance, needed for a higher SIL of a certain Safety Function, as they are not completely
independent each other, containing common components.
Failure rate date: taken from Siemens Standard SN29500.
Input signal state
Pins 7-8 (In 1 - Ch.1) or 9-10 (In 2 - Ch.2)
Transistor output state
Pins 1-2 (Out 1 - Ch.1) or 3-4 (Out 2 - Ch.2)
Proximity sensor is OFF or switch is open
Open (De-energize transistor)
Proximity sensor is ON or switch is closed
Closed (Energized transistor)
Independently from proximity sensor or switch state, the input line is break
Open (De-energized transistor as safe state condition)
Independently from proximity sensor or switch state, the input line is in short circuit Open (De-energized transistor as safe state condition)
Channel status
yellow LED state
OFF
ON
OFF
OFF
Channel fault
red LED state
OFF
OFF
ON
ON
Description:
For this application, enable input line fault (open or short) detection and direct input to output transfer function, by set the internal dip-switches in the following mode (see page 9
for more information):
D5037D
(Ch.1 and Ch.2)
OFF operation
ON operation
Field Input: proximity is OFF
or switch is open
Field Input: proximity is OFF
or switch is open
Out 1 transistor is de-energized,
out is open
Out 2 transistor is de-energized,
out is open
Channel 1
Channel 2
D5037D
(Ch.1 and Ch.2)
Field Input: proximity is ON
or switch is closed
Field Input: proximity is ON
or switch is closed
Out 1 transistor is energized,
out is closed
Out 2 transistor is energized,
out is closed
Channel 1
Channel 2
1
2
Out 1
Out 2
3
4
Out 2
3
4
Safety
PLC
Input
1
2
Out 1
Safety
PLC
Input
Safety
PLC
Input
Safety
PLC
Input
The module is powered by connecting 24 Vdc power supply to Pins 5 (+ positive) - 6 (- negative). The green LED is lit in presence of supply power.
Input signals from field are applied to Pins 7-8 (In 1 - Ch.1) and Pins 9-10 (In 2 - Ch.2).
Transistor outputs Pins 1-2 (for Channel 1) and Pins 3-4 (for Channel 2) are both normally open (or transistor de-energized as safe state condition) for OFF operation,
while they are both closed (or transistor energized) for ON operation.
The following table describes for each channel the state (open or closed) of its output when its input signal is in OFF or ON state, and it gives information about turn-on or turn-off
of the related channel status LED and channel fault LED:
Dip-switch position
1 2 3 4
ON/OFF state
ON OFF ON OFF
Supply
24 Vdc
5 +
6 -
7
8
In 1
9
10
In 2
Supply
24 Vdc
5 +
6 -
7
8
In 1
9
10
In 2
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
27.48
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
98.30
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
125.78
MTBF (safety function, channel 1) = (1 /
λ
tot safe
) + MTTR (8 hours)
907 years
λ
no effect
= “No Effect” failures
142.42
λ
not part
= “Not Part” failures
148.40
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
416.60
MTBF (device, channel 1) = (1 /
λ
tot device
) + MTTR (8 hours)
274 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
98.30 FIT
0.00 FIT
27.48 FIT
78.15%
T[Proof] = 1 year
T[Proof] = 8 years
PFDavg = 1.21 E-04 Valid for
SIL 2
PFDavg = 9.65 E-04 Valid for
SIL 2
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
T[Proof] = 20 years
PFDavg = 2.41E-03 Valid for
SIL 2
Systematic capability SIL 3.
