GMI D5062S Instruction & Safety Manual Download Page 10

Page: 10 / 12

D5062

- SIL 2 Vibration Transducer Interface

G.M. International ISM0184-7

Functional Safety Manual and Application

Application for D5062S, with 2 wires AC (unpowered) transducer input

Failure category

Failure rates (FIT)

= Total Dangerous Detected failures

160.84

= Total Dangerous Undetected failures

71.96

= Total Safe Detected failures

0.00

= Total Safe Undetected failures

0.00

tot safe

= Total Failure Rate (Safety Function) =

232.80

MTBF (safety function, single channel) = (1 /

tot safe

) + MTTR (8 hours)

490 years

no effect

= “No Effect” failures

269.70

not part

= “Not Part” failures

22.70

tot device

= Total Failure Rate (Device) =

tot safe

no effect

not part

525.20

MTBF (device, single channel) = (1 /

tot device

) + MTTR (8 hours)

217 years

SFF

0.0 FIT

0.00 FIT

160.84 FIT

71.96 FIT

69.09%

T[Proof] = 1 year

T[Proof] = 3 years

PFDavg = 3.17E-04

Valid for

SIL 2

PFDavg = 9.51E-04

Valid for

SIL 2

PFDavg vs T[Proof] table

(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:

PFDavg vs T[Proof] table

(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes

≤

10% of total SIF dangerous failures:

Failure rates table according to IEC 61508:2010 Ed.2 :

Failure rate table:

Safety Function and Failure behavior:

D5062S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour is described by the following definitions:

□

Fail-Safe State: is defined as the output going Low or High, considering that the safety logic solver can convert the Low or High fail (dangerous detected) to the fail-safe state.

□

Fail Safe: a failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.

□

Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state) or deviates the output voltage by more

than 5 % of full span (> ± 1 Vdc).

□

Fail High: a failure mode that causes the output signal to go below the maximum negative voltage (< -20 Vdc). Assuming that the application program in the safety logic solver is

configured to detect High failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.

□

Fail Low: a failure mode that causes the output signal to go above the minimum negative voltage (> -0.5 Vdc). Assuming that the application program in the safety logic solver is

configured to detect Low failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.

□

Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure because the output

voltage is deviated by less than 5 % of full span (< ± 1 Vdc). When calculating the SFF, this failure mode is not taken into account.

□

Fail “Not part”: failure mode of a component that is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF, this

failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

Description:

For this application, set the internal dip-switches in the following mode (see page 11 for more information):

D5062S

Signal -

Out

The D5062S module is supplied (with 18 to 30Vdc supply voltage) at Pins 5 (+) – 6 (-). The green LED is lit in presence of supply power.

The input transducer AC signal (0 to 20Vpp, DC to 20kHz) is applied between Pins 8-7/9 (-Signal, Common). No DC offset must be applied.

The input signal (0 to 20Vpp, DC to 20kHz) is identically repeated at output Pins 1-2 (-Signal, Common).

T[Proof] = 20 years

PFDavg = 6.34E-03