GM International D5290S-079, Инструкция по эксплуатации

Страница: 8 / 9

8
D5290S-079 - 5 A SIL 3 Relay Output Module G.M. International ISM0153-2
Functional Safety Manual and Applications
8
D5290S-079 - 5 A SIL 3 Relay Output Module (115 Vac coil voltage) G.M. International ISM0153-2
Functional Safety Manual and Applications
20
23
24-19
18-13
17
14
Application D5290S-079 - SIL 3 Load Normally De-energized Condition (ND) and Normally Energized Relay:
one common driving signal from PLC for both ND loads (A and B), with interruption of only one load supply line
PLC
Output ON
115 Vac
B
Normal state operation De-Energize to trip operation
Service
Load B
(Not SIL)
ND
Load
SIL 3
A
Service
Load A
(Not SIL) ND
Load
SIL 3
20
23
24-19
18-13
17
14
PLC
Output OFF
0 Vac
B
Service
Load B
(Not SIL)
ND
Load
SIL 3
A
Service
Load A
(Not SIL) ND
Load
SIL 3
+ / AC (for load A and its service load) + / AC (for load B and its service load)
+ / AC (for load A and its service load) + / AC (for load B and its service load)
- / AC (for load A and its service load) - / AC (for load B and its service load)
- / AC (for load A and its service load) - / AC (for load B and its service load)
4)
Operation Input Signal
Pins 1-2 or 3-4
Pins
17-18
Pins
19-20
ND Load A (SIL3)
Pins 17-Supply
ND Load B (SIL 3)
Pins 20-Supply
Pins
13-14
Pins
23-24
Service
Load A
Service
Load B
Normal High (115 Vac) Open Open De-Energized De-Energized Closed Closed Energized Energized
Trip Low (0 Vac) Closed Closed Energized Energized Open Open De-Energized De-Energized
Description:
Input Signal from PLC/DCS is normally High (115 Vac) and is applied to pins 1-2 or 3-4 in order to Normally Energize (NE) the internal relays.
Input Signal from PLC/DCS is Low (0 Vac) during “de-energize to trip” operation, in order de-energize the internal relays.
Load A (and Load B if present) is Normally De-Energized (ND) therefore its safe state is to be energized.
Disconnection of Loads A and B is done by disconnecting one supply line.
Service Load A (and Service Load B if present) is normally energized, therefore it de-energizes during “de-energize to trip” operation.
The following table describes the status (open or closed) of each output contact when input signal is High or Low.
Safety Function and Failure behavior:
D5290S-079 is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In the 4th Functional Safety application, the normal state operation of relay module is energized, with ND (Normally De-energized) loads.
In case of alarm or request from process, the relay module is de-energized (safe state), energizing loads.
The failure behaviour of all relay modules here considered is described by the following definitions:
□ fail-Safe State: it is defined as the output load being energized;
□ fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□ fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to defined fail-safe state), so that output load remains de-energized.
In addition, there are other definitions of failure behaviours which are not safety-related:
□ fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
□ fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this
failure mode is not taken into account. It is also not considered for the total failure rate evaluation.
Failure rate table:
Failure category Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures 0.00
λ
du
= Total Dangerous Undetected failures 1.60
λ
sd
= Total Safe Detected failures 0.00
λ
su
= Total Safe Undetected failures 158.88
λ
tot safe
= Total Failure Rate (Safety Function) = λ
dd
+ λ
du
+ λ
sd
+ λ
su
160.48
λ
no effect
= “No effect” failures 11.92
λ
not part
= “Not Part” failures 0.00
λ
tot device
= Total Failure Rate (Device) = λ
tot safe
+ λ
no effect
+ λ
not part
172.40
MTBF (device, single channel) = (1 / λ
tot device
) + MTTR (8 hours) 662 years
MTTF
S
(Total Safe) = 1 / ( λ
sd
+ λ
su
) 718 years
MTTF
D
(Dangerous) = 1 / λ
du
71347 years
MTBF (safety function, single channel) = (1 / λ
tot safe
) + MTTR (8 hours) 711 years
Failure rates table according to IEC 61508:
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT 158.88 FIT 0.00 FIT 1.60 FIT 99.00%
PFDavg vs T[Proof] table , with determination of SIL supposing module contributes 10% of entire safety function:
T[Proof] = 1 year T[Proof] = 10 years
PFDavg = 7.01 E-06 Valid for SIL 3 PFDavg = 7.01 E-05 Valid for SIL 3
T[Proof] = 20 years
PFDavg = 1.40 E-04 Valid for SIL 2
PFDavg vs T[Proof] table , with determination of SIL supposing module contributes 20% of entire safety function:
T[Proof] = 20 years
PFDavg = 1.40 E-04 Valid for SIL 3