D6038
- SIL3 Line-Fault Transp. Switch/Prox. Repeater
G.M. International ISM0433-0
3
Functional Safety Manual and Application
Application for double channel D6038DA or D6038DB
D6038DA
or
D6038DB
(Ch.1 and Ch.2)
OFF operation
ON operation
Field Input: proximity is OFF
or switch is open
Channel 1
D6038DA
or
D6038DB
(Ch.1 and Ch.2)
Field Input: proximity is ON
or switch is closed
Channel 1
1
2
Out 1
7
8
In 1
7
8
In 1
Supply
24 Vdc
5 +
6 -
Supply
24 Vdc
5 +
6 -
Out 1 resistance value is RL (for
direct function) or RH (for reverse
function)
Out 1 resistance value is RH (for
direct function) or RL (for reverse
function)
Safety
PLC
Input
1
2
Out 1
Safety
PLC
Input
Out 2 resistance value is RH (for
direct function) or RL (for reverse
function)
3
4
Out 2
Safety
PLC
Input
9
10
In 2
Channel 2
9
10
In 2
Channel 2
3
4
Out 2
Out 2 resistance value is RL (for
direct function) or RH (for reverse
function)
Safety
PLC
Input
Description:
For this application, for each channel enable input line fault (open or short) detection and choose direct or reverse input to output transfer function, by set the internal dip-switches in the
following mode (for more information, please see the instruction manual ISM0431), where dip 1 and 2 are related to Ch.1 and dip 3 and 4 are related to Ch.2:
Dip-switch position
1 2 3 4
ON/OFF state
ON OFF (direct) or ON (reverse) ON OFF (direct) or ON (reverse)
The module is powered by connecting 24 Vdc power supply to Pins 5 (+ positive) - 6 (- negative). The green LED is lit in presence of supply power.
Input signals from field are applied to Pins 7-8 (In 1 - Ch.1) and Pins 9-10 (In 2 - Ch.2). Output Pins 1-2 (for Channel 1) and Output Pins 3-4 (for Channel 2) have got RH (direct
function) or RL (reverse function) resistance value for OFF operation, while they have got RL (direct function) or RH (reverse function) resistance value for ON operation. The following
table describes for each channel (Channel 1 or Channel 2) the output resistance value when its input signal is in OFF or ON state, and it gives information about turn-on or turn-off
of its channel status LED and channel fault LED:
Input 1 or Input 2 signal state
Pins 7-8 (In 1 - Ch.1) or Pins 9-10 (In 2 - Ch.2)
Out 1 or Out 2 resistance value
Pins 1-2 (Out 1 - Ch.1) or Pins 3-4 (Out 2 - Ch.2)
Ch.1 or Ch.2 status
yellow LED state
Ch.1 or Ch.2 fault
red LED state
Proximity sensor is OFF or switch is open
RH (direct function) or RL (reverse function)
OFF (direct function)
ON (reverse function)
OFF
Proximity sensor is ON or switch is closed
RL (direct function) or RH (reverse function)
ON (direct function)
OFF (reverse function)
OFF
Independently from proximity sensor or switch state, input line is broken
RH (direct or reverse function) as safe state condition OFF (direct or reverse
function)
ON
Independently from proximity sensor or switch state, input line is short circuited RH (direct or reverse function) as safe state condition OFF (direct or reverse
function)
ON
Safety Function and Failure behavior:
D6038D is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
For each channel, the failure behaviour is described from the following definitions :
□
fail-Safe State: it is defined as two cases: 1st) the channel output being open, with output resistance equal or bigger than RH ; 2nd) the channel output being in short circuit,
with output resistance equal to zero or very little than RL. The module output must be monitored by a Digital Input channel of a Safety PLC in order to detect open circuit (very
high resistance) or short circuit (very low resistance) of output channel;
□
fail Safe: failure mode that causes the module / (sub)system to go to the defined Fail-Safe state without a demand from the process;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined Fail-Safe state), so that the channel output is blocked
in closed position, with output resistance equal or less than RL, but not equal to short circuit therefore not detectable by a Digital Input channel of a Safety PLC;
□
fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure or a dangerous failure.
When calculating the SFF this failure mode is not taken into account;
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account. It is also not considered for the total failure rate (safety function) evaluation.
Failure rate date: taken from Siemens Standard SN29500.
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
10.40
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
211.70
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
222.10
MTBF (safety function, one channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
514 years
λ
no effect
= “No Effect” failures
244.90
λ
not part
= “Not Part” failures
337.70
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
804.70
MTBF (device) = (1 /
λ
tot device
) + MTTR (8 hours)
142 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
211.70 FIT
0.00 FIT
10.40 FIT
95.3%
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 4.56 E-05 Valid for
SIL 3
PFDavg = 9.13 E-05 Valid for
SIL 3
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
T[Proof] = 5 years
PFDavg = 2.28 E-04 Valid for
SIL 3
SC3: Systematic capability SIL 3.
