6
D1092
- SIL 3 Relay Output Module
G.M. International ISM0091-11
Description:
Input Signal from PLC/DCS is normally Low (0 Vdc) and is applied to pins 13-14 or 9 - 11 (D1092S or 1st ch. of D1092D) and pins 15-16 or 10 - 12 (2nd ch. of D1092D) in order to
Normally De-energize (ND) the internal relays.
Input Signal from PLC/DCS is High (24 Vdc) during “Energize to trip” operation, in order energize the internal relays.
The Load is Normally De-energized (ND), therefore its safe state is to be energized.
Disconnection of the ND Load is done on only one supply line.
Service load connected in series to 1 – 2 contact can be used to monitoring 3 - 4 contact. Service load connected in series to 5 – 6 contact can be used to monitoring 7 - 8 contact.
The following table describes the status (open or closed) of each output contact when the input signal is High or Low.
Safety Function and Failure behavior:
D1092S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In this Functional Safety application, the normal state operation of relay module is de-energized, with ND (Normally De-energized) load.
In case of alarm or request from process, the relay module is energized (safe state), energizing the load.
The failure behaviour of the relay module is described by the following definitions:
□
fail-Safe State: it is defined as the output load being energized;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),
so that the output load remains de-energized.
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
When calculating the SFF this failure mode is not taken into account.
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;
When calculating the SFF this failure mode is not taken into account.
Failure rate date: taken from Siemens Standard SN29500.
Failure rate table:
Failure rates table according to IEC 61508:2010 Ed.2 :
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
Systematic capability SIL 3.
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
2.35
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
96.00
λ
tot safe
=
Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
98.35
MTBF (Safety Function, single channel) = (1 /
λ
tot safe
) + MTTR
1160 years
λ
no effect
= “No Effect” failures
218.25
λ
not part
= “Not Part” failures
0.00
λ
tot device
=
Total Failure Rate (Device)
=
λ
tot safe
+
λ
no effect
+
λ
not part
316.60
MTBF (Device, single channel) = (1 /
λ
tot device
) + MTTR
360 years
T[Proof] = 1 year
T[Proof] = 9 years
PFDavg = 1.03 E-05 - Valid for
SIL 3
PFDavg = 9.27 E-05 - Valid for
SIL 3
T[Proof] = 20 years
PFDavg = 2.06 E-04 - Valid for
SIL 2
Application for D1092S and D1092D - Normally De-energized relay condition for ND Load
Functional Safety Manual and Applications
Energized to trip operation for D1092S
Normal state operation for D1092S
4
3
2
1
PLC Output OFF
0 Vdc
Channel 1
SIL 3
Load
Service Load
(not for Safety
Function purpose)
+ / AC Load Line
- / AC Load Line
4
3
2
1
PLC Output ON
24 Vdc
Channel 1
SIL 3
Load
Service Load
(not for Safety
Function purpose)
+ / AC Load Line
- / AC Load Line
4
3
2
1
PLC
Output OFF
0 Vdc
Channel 1
SIL 3
Load
+ / AC Load Line
- / AC Load Line
8
7
6
5
Channel 2
SIL 3
Load
+ / AC Load Line
- / AC Load Line
4
3
2
1
PLC
Output ON
24 Vdc
Channel 1
SIL 3
Load
+ / AC Load Line
- / AC Load Line
8
7
6
5
Channel 2
SIL 3
Load
+ / AC Load Line
- / AC Load Line
Energized to trip operation D1092D
Normal state operation for D1092D
Service
Load (not
For Safety
Function
purpose)
Service
Load (not
for Safety
Function
purpose)
PLC
Output OFF
0 Vdc
Service
Load (not
For Safety
Function
purpose)
PLC
Output ON
24 Vdc
Service
Load (not
for Safety
Function
purpose)
Operation
Input Signal
Pins 13-14 or 9 –11 ( for ch.1)
Pins 15 -16 or 10 –12 ( for ch.2)
Pins
3 - 4
NE Load (SIL3)
For ch. 1
Pins
1 - 2
Pins
7 - 8
Normal
Low (0 Vdc)
Open
De-Energized
Open
Open
Trip
High (24 Vdc)
Closed
Energized Closed
Closed
NE Load (SIL3)
For ch. 2
Only for D1092D
Pins
5 - 6
Service Load
to monitor ch.2
De-Energized Open De-Energized
Energized Closed Energized
Service Load
to monitor ch.1
De-Energized
Energized
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
96.00 FIT
0.00 FIT
2.35 FIT
97.61%
