D1031
- SIL 2 Switch / Proximity Detector Repeater Transistor Output
G.M. International ISM0009-17
8
Functional Safety Manual and Application
Application for D1031D
Safety Function and Failure behavior:
D1031D is considered to be operating in Low Demand mode, as a Type B module, having Hardware Fault Tolerance (HFT) = 0.
The failure behavior is described from the following definitions :
□
Fail-Safe State: it is defined as the output being de-energized (so that the output transistor is open)
□
Fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
□
Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state), so that the output remains energized.
□
Fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account;
□
Fail “Not Part”: failure mode of a component which is not part of the safety function but which is part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account.
As the module is supposed to be proven-in-use device, therefore according to the requirements of IEC 61511-1 section 11.4.4, a HFT = 0 is sufficient for SIL 2 (sub-) systems including
Type B components and having a SFF equal or more than 60%.
Only Out 1-A and Out 2-A are functional safety related, while Out 1-B (Pins 7-2) and Out 2-B (Pins 8-6) as Out 1-A and Out 2-A Duplicator outputs are only for service purpose,
not functional safety related.
Failure rate date: taken from Siemens Standard SN29500.
Description:
For this application, enable input line fault (open or short) detection and direct input to output transfer function, by set the internal dip-switches in the following mode
(see page 13 for more information):
The module is powered by connecting 24 Vdc power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of supply power.
Input signal from field is applied to Pins 13-14 (In 1 - Ch.1) and Pins 15-16 (In 2 - Ch.2).
Only Out 1-A (Pins 1-2) and Out 2-A (Pins 5-6) are functional safety related, while Out 1-B (Pins 7-2) and Out 2-B (Pins 8-6) as Out 1-A and Out 2-A Duplicator outputs are only
for service purpose, not functional safety related.
The following table describes for each channel the state (open or closed) of its output when its input signal is in OFF or ON state, and it gives information about turn-on or turn-off
of its channel status LED and channel fault LED:
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
49.29
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
125.82
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
175.11
MTBF (safety function, channel 1) = (1 /
λ
tot safe
) + MTTR (8 hours)
651 years
λ
no effect
= “No Effect” failures
95.89
λ
not part
= “Not Part” failures
112.00
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
383.00
MTBF (device, channel 1) = (1 /
λ
tot device
) + MTTR (8 hours)
298 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
125.82 FIT
0.00 FIT
49.29 FIT
71.85%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
T[Proof] = 1 year
T[Proof] = 4 years
PFDavg = 2.16 E-04 Valid for
SIL 2
PFDavg = 8.65 E-04 Valid for
SIL 2
OFF operation
This type “B” system has SFF = 71.85 %
≥
60 % and HFT = 0, which is sufficient to get SIL 2 in accordance with the requirements of IEC 61511-1 section 11.4.4 during a proven-in-use
assessment.
T[Proof] = 10 years
PFDavg = 2.16 E-03 Valid for
SIL 2
Field Input: proximity is OFF
or switch is open
Channel 1
1
2
Out 1-A
Safety PLC
Input
Supply
24 Vdc
3 +
4 -
13
14
In 1
15
16
In 2
Out 1-A and Out 2-A transistor are
de-energized, 1-2 and 5-6 are open.
Out 1-B and Out 2-B are Out 1-A and Out 2-A
Duplicator outputs
5
6
7
2
8
6
Channel 2
D1031D
Out 2-A
Safety PLC
Input
Out 1-B
PLC
Input
Out 2-B
PLC
Input
Safety PLC
Input
Safety PLC
Input
PLC
Input
PLC
Input
Field Input: proximity is ON
or switch is open
Channel 1
1
2
Out 1-A
Supply
24 Vdc
3 +
4 -
13
14
In 1
15
16
In 2
5
6
7
2
8
6
Channel 2
D1031D
Out 2-A
Out 1-B
Out 2-B
Dip-switch position
1 2 3 4
ON/OFF state
ON ON ON ON
5
OFF
6
-
7
OFF
8
-
ON operation
Input signal state
Pins 13-14 (In 1 - Ch.1) or 15-16 (In 2 - Ch.2)
Output transistor state
Out 1-A (Pins 1-2) or Out 2-A (Pins 5-6)
(Functional safety related output)
1-A or 2-A
Ch. status yellow
LED state
1-A or 2-A
Ch. fault red
LED state
Proximity sensor is OFF or switch is open
Open (De-energized transistor)
OFF
OFF
Proximity sensor is ON or switch is closed
Closed (Energized transistor)
ON
OFF
The input line is broken
Open (De-energized transistor as safe state condition)
OFF
ON
The input line is in short circuit
Open (De-energized transistor as safe state condition)
OFF
ON
Out 1-A and Out 2-A transistor are energized,
1-2 and 5-6 are closed.
Out 1-B and Out 2-B are Out 1-A and Out 2-A
Duplicator outputs