6
D5202S
- 4 A, 24 Vdc, SIL 3 Power Distribution and Diagnostic Module
G.M. International ISM0177-4
Functional Safety Manual and Applications
Safety Function and Failure behavior:
D5202S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour of the module is described by the following definitions:
□
fail-Safe State: it is defined as the output voltage (on Power Bus) to be deviated inside the allowed 18 to 30 Vdc range or below 2 Vdc;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),
so that the output voltage (on Power BUS) is deviated between 2 Vdc and 18 Vdc;
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account. It is also not considered for the total failure rate evaluation.
Failure rates table according to IEC 61508:2010 Ed.2 :
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
36.88 FIT
0.00 FIT
0.05 FIT
99.86%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 95%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
T[Proof] = 1 year
T[Proof] = 20 years
PFDavg = 2.19 E-07 - Valid for
SIL 3
PFDavg = 4.38 E-06 - Valid for
SIL 3
Failure rate table:
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
0.05
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
36.88
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
36.93
λ
not part
= “Not Part” failures
293.40
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
449.45
MTBF (device, single channel) = (1 /
λ
tot device
) + MTTR (8 hours)
254 years
MTTF
S
(Total Safe) = 1 / (
λ
sd
+
λ
su
) 3095
years
MTTF
D
(Dangerous) = 1 /
λ
du
2.28 E+06 years
λ
no effect
= “No effect” failures
119.12
MTBF (safety function, single channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
3091 years
The D5202S can repeat the common fault signal from the Power and Fault Bus, therefore considering all diagnostic functions enabled, the cumulative fault diagnostic functionality is
described by the following table, where the status (open or closed) of Common Fault output contact is related to the common fault signal:
Common Fault signal
on Power and Fault Bus
Common Fault - NO contact
Pins 1-2
Common Fault - NC contact
Pins 1-3
High signal between
Fault pole and Negative (-) pole of BUS
(Normal condition)
Closed
(Normal condition)
Open
(Normal condition)
Low signal between
Fault pole and Negative (-) pole of BUS
(Common Fault condition)
Open
(Common Fault condition)
Closed
(Common Fault condition)
COM FLT LED state
OFF
ON
Testing procedure at T-proof
The proof test shall be performed to reveal dangerous faults which are undetected by diagnostic. This means that it is necessary to specify how dangerous undetected faults, which
have been noted during the FMEDA, can be revealed during proof test. The Proof test consists of the following steps:
Steps
Action
1
Bypass the safety-related PLC or take other appropriate action to avoid a false trip when removing the unit for test.
2
Supply the D5202S by means of two DC power sources, whose values must be comprised between 20 and 30 Vdc, connected between
terminals 9-10 (Supply Line 1) and 11-12 (Supply Line 2). Connect a DC voltmeter between Power Bus terminals 1 and 2.
In this condition, the output supply voltage, measured by means of the DC voltmeter, should be close to the higher input supply voltage value and
neither of the “FLT1” and “FLT2” LEDs should be lit.
If, on the other hand, an output supply voltage comprised between 2 and 18 Vdc is measured and the “FLT1” and “FLT2” LEDs are turned off,
a dangerous failure which has produced a wrong output voltage of the ideal diode controller circuits is detected.
5
Remove the bypass from the safety-related PLC or restore normal operation inserting the unit.
3
Use the same setup described in the previous step and measure, by means of an AC voltmeter, the rms value of the output voltage.
In normal operation conditions, the output supply voltage should have no AC components, that is its rms value should be ideally null.
If an rms value well above 0 Vrms is measured (a reasonable value could be 50% of the higher supply line value, i.e. 12 Vrms compared to 24 Vdc),
a dangerous failure which has produced an oscillation of the ideal diode controller circuits is detected.
4
Restore the loop to full operation.
This test will reveals around 95 % of all possible Dangerous Undetected failures in this module.
Systematic capability SIL 3
