7
D1130
- SIL 2 Switch / Proximity Detector Repeater Relay Output
G.M. International ISM0048-12
Functional Safety Manual and Application
Application for D1130D
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
82.13
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
203.81
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
285.94
MTBF (safety function, one channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
399 years
λ
no effect
= “No Effect” failures
107.03
λ
not part
= “Not Part” failures
111.90
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
504.87
MTBF (device) = (1 /
λ
tot device
) + MTTR (8 hours)
226 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
203.81 FIT
0.00 FIT
82.13 FIT
71.28%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
Safety Function and Failure behavior:
D1130D is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behavior is described from the following definitions :
□
Fail-Safe State: it is defined as the output being de-energized (so that the output relay is de-energized).
□
Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
□
Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state), so that the output remains energized.
□
Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account;
□
Fail “Not Part”: failure mode of a component which is not part of the safety function but which is part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account.
As the module is supposed to be proven-in-use device, therefore according to the requirements of IEC 61511-1 section 11.4.4, a HFT = 0 is sufficient for SIL 2 (sub-) systems including
Type B components and having a SFF equal or more than 60%.
The 2 channels of D1130D module can not be used to increase the hardware fault tolerance, needed for a higher SIL of a certain Safety Function, as they are not completely
independent one from another.
Failure rate date: taken from Siemens Standard SN29500.
Input signal state
Pins 13-14 (In 1 - Ch.1) or 15-16 (In 2 - Ch.2)
Output relay contact state
Pins 2-1 (Out 1 - Ch.1) or 6-5 (Out 2 - Ch.2)
Proximity sensor is OFF or switch is open
Open (De-energize relay)
Proximity sensor is ON or switch is closed
Closed (Energized relay)
Independently from proximity sensor
or switch state, the input line is break
Open
(De-energized relay as safe state condition)
Independently from proximity sensor
or switch state, the input line is in short circuit
Open
(De-energized relay as safe state condition)
Channel status
yellow LED
state
OFF
ON
OFF
OFF
Channel fault
red LED state
OFF
OFF
ON
ON
Output relay contact state
Pins 8-1 (Out 1 - Ch.1) or 7-5 (Out 2 - Ch.2)
Closed (De-energized relay)
Open (Energize relay)
Closed
(De-energized relay as safe state condition)
Closed
(De-energized relay as safe state condition)
Description:
For this application, enable input line fault (open or short) detection and direct input to output transfer function, by set the internal dip-switches in the following mode (see
page 11 for more information):
D1130D
(Ch.1 and Ch.2)
OFF operation
Field Input: proximity is OFF
or switch is open
Field Input: proximity is OFF
or switch is open
Out 2 relay is de-energized,
6-5 is open, 7-5 is closed
Channel 1
Channel 2
8
2
Out 1
Safety
PLC
Input
The module is powered by connecting 115-230 Vac power supply to Pins 3 (L) - 4 (N). The green LED is lit in presence of supply power.
Input signals from field are applied to Pins 13-14 (In 1 - Ch.1) and Pins 15-16 (In 2 - Ch.2).
The following table describes for each channel the state (open or closed) of its output contacts when its input signal is in OFF or ON state, and it gives information about turn-on
or turn-off of the related channel status LED and channel fault LED:
Dip-switch position
1 2 3 4
ON/OFF state
ON ON ON ON
Supply
115-230 Vac
3 (L)
4 (N)
13
14
In 1
15
16
In 2
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 3.60 E-04 Valid for
SIL 2
PFDavg = 7.21 E-04 Valid for
SIL 2
T[Proof] = 10 years
PFDavg = 3.60 E-03 Valid for
SIL 2
1
Out 1 relay is de-energized,
2-1 is open, 8-1 is closed
7
6
Out 2
Safety
PLC
Input
5
ON operation
D1130D
(Ch.1 and Ch.2)
Field Input: proximity is ON
or switch is closed
Field Input: proximity is ON
or switch is closed
Out 2 relay is energized,
6-5 is closed, 7-5 is open
Channel 1
Channel 2
8
2
Out 1
Safety
PLC
Input
3 (L)
4 (N)
13
14
In 1
15
16
In 2
1
Out 1 relay is energized,
2-1 is closed, 8-1 is open
7
6
Out 2
Safety
PLC
Input
5
This type “B” system has SFF = 71.28 %
≥
60 % and HFT = 0, which is sufficient to get SIL 2 in accordance with the requirements of IEC 61511-1 section 11.4.4 during a proven-in-use
assessment.
Supply
115-230 Vac
