8
D1130
- SIL 2 Switch / Proximity Detector Repeater Relay Output
G.M. International ISM0048-12
Functional Safety Manual and Application
Application for D1130S
Safety Function and Failure behavior:
D1130S is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behavior is described from the following definitions :
□
Fail-Safe State: it is defined as the output being de-energized (so that the output relay is de-energized).
□
Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
□
Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state), so that the output remains energized.
□
Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account;
□
Fail “Not Part”: failure mode of a component which is not part of the safety function but which is part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account.
As the module is supposed to be proven-in-use device, therefore according to the requirements of IEC 61511-1 section 11.4.4, a HFT = 0 is sufficient for SIL 2 (sub-) systems including
Type B components and having a SFF equal or more than 60%.
Only Out 1-A is functional safety related, while Out 1-B (Pins 6-5 or 7-5) as Out 1-A Duplicator output is only for service purpose, not functional safety related.
Failure rate date: taken from Siemens Standard SN29500.
Description:
For this application, enable input line fault (open or short) detection and direct input to output transfer function, by set the internal dip-switches in the following mode (see page 12
for more information):
ON operation
The module is powered by connecting 115-230 Vac power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of supply power.
Input signal from field is applied to Pins 13-14 (In 1 - Ch.1).
Only Out 1-A is functional safety related, while Out 1-B (Pins 6-5 or 7-5) as Out 1-A Duplicator output is only for service purpose, not functional safety related.
The following table describes for Channel 1 the state (open or closed) of its output when its input signal is in OFF or ON state, and it gives information about turn-on or turn-off
of its channel status LED and channel fault LED:
Dip-switch position
1 2 3 4
ON/OFF state
ON ON OFF -
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
82.13
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
203.81
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
285.94
MTBF (safety function, channel 1) = (1 /
λ
tot safe
) + MTTR (8 hours)
399 years
λ
no effect
= “No Effect” failures
107.03
λ
not part
= “Not Part” failures
105.30
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
498.27
MTBF (device, channel 1) = (1 /
λ
tot device
) + MTTR (8 hours)
229 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
203.81 FIT
0.00 FIT
82.13 FIT
71.28%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
T[Proof] = 1 year
T[Proof] = 2 years
PFDavg = 3.60 E-04 Valid for
SIL 2
PFDavg = 7.21 E-04 Valid for
SIL 2
D1130S
Field Input: proximity is OFF
or switch is open
Out 1-B is Out 1-A Duplicator
output
Channel 1
8
2
Out 1-A
Safety
PLC
Input
13
14
In 1
1
Out 1-A relay is de-energized,
2-1 is open, 8-1 is closed
7
6
Out 1-B
PLC
Input
5
OFF operation
D1130S
Field Input: proximity is ON
or switch is closed
Out 1-B is Out 1-A Duplicator
output
Channel 1
8
2
Out 1-A
Safety
PLC
Input
13
14
In 1
1
Out 1-A relay is energized,
2-1 is closed, 8-1 is open
7
6
Out 1-B
PLC
Input
5
Input signal state
Pins 13-14 (In 1 - Ch.1)
Output relay contact state
Pins 2-1 (Out 1-A - Ch.1)
Proximity sensor is OFF or switch is open
Open (De-energize relay)
Proximity sensor is ON or switch is closed
Closed (Energized relay)
Independently from proximity sensor
or switch state, the input line is break
Open
(De-energized relay as safe state condition)
Independently from proximity sensor
or switch state, the input line is in short circuit
Open
(De-energized relay as safe state condition)
Channel status
yellow LED state
OFF
ON
OFF
OFF
Channel fault
red LED state
OFF
OFF
ON
ON
Output relay contact state
Pins 8-1 (Out 1-A - Ch.1)
Closed (De-energized relay)
Open (Energize relay)
Closed
(De-energized relay as safe state condition)
Closed
(De-energized relay as safe state condition)
This type “B” system has SFF = 71.28 %
≥
60 % and HFT = 0, which is sufficient to get SIL 2 in accordance with the requirements of IEC 61511-1 section 11.4.4 during a proven-in-use
assessment.
T[Proof] = 10 years
PFDavg = 3.60 E-03 Valid for
SIL 2
Supply
115-230 Vac
3 (L)
4 (N)
Supply
115-230 Vac
3 (L)
4 (N)
