GMI D5036D, Инструкция и руководство по безопасности

Страница: 7 / 10

7
D5036 - SIL 2 Switch/Proximity Detector Repeater, Relay Output G.M. International ISM0269-3
Failure category Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures 0.00
λ
du
= Total Dangerous Undetected failures 51.22
λ
sd
= Total Safe Detected failures 0.00
λ
su
= Total Safe Undetected failures 124.62
λ
tot safe
= Total Failure Rate (Safety Function) = λ
dd
+ λ
du
+ λ
sd
+ λ
su
175.84
MTBF (safety function, one channel) = (1 / λ
tot safe
) + MTTR (8 hours) 649 years
λ
no effect
= “No Effect” failures 128.26
λ
not part
= “Not Part” failures 23.50
λ
tot device
= Total Failure Rate (Device) = λ
tot safe
+ λ
no effect
+ λ
not part
327.60
MTBF (device, one channel) = (1 / λ
tot device
) + MTTR (8 hours) 348 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT 124.62 FIT 0.00 FIT 51.22 FIT 70.87%
Functional Safety Manual and Application
Application for D5036S
Safety Function and Failure behavior:
D5036S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
The failure behavior is described from the following definitions :
□ Fail-Safe State: it is defined as the relay output being de-energized (so that the NO contact is open and the NC contact is closed);
□ Fail Safe: failure mode that causes the module / (sub)system to go to the defined Fail-Safe state without a demand from the process;
□ Fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined Fail-Safe state), so that the relay output remains
energized (the NO contact is blocked in closed position and the NC contact is blocked in open position);
□ Fail “No Effect”: failure mode of a component that plays a part in implementing the Safety Function but that is neither a safe failure nor a dangerous failure.
When calculating the SFF, this failure mode is not taken into account;
□ Fail “Not part”: failure mode of a component that is not part of the Safety Function but that is part of the circuit diagram and is listed for completeness.
When calculating the SFF, this failure mode is not taken into account.
Failure rate date: taken from Siemens Standard SN29500.
Description:
For this application, enable input line fault (open or short) detection and direct input to output transfer function, by set the internal dip-switches in the following mode (see page 10
for more information):
D5036S
(Ch.1)
OFF operation ON operation
Field Input: proximity is OFF
or switch is open
Out relay is de-energized,
out contact is open
Channel 1
D5036S
(Ch.1)
Field Input: proximity is ON
or switch is closed
Out relay is energized,
out contact is closed
Channel 1
1
2
1
2
Out with
NO contact
Safety
PLC
Input
Safety
PLC
Input
The module is powered by connecting 24 Vdc power supply to Pins 5 (+ positive) - 6 (- negative). The green LED is lit in presence of supply power.
Input signal from field is applied to Pins 7-8 (In 1 - Ch.1).
Relay contact output Pins 1-2 is normally open or Pins 3-4 is normally closed (because relay is de-energized as safe state condition) for OFF operation, while Pins 1-2 is closed
or Pins 3-4 is open (because relay is energized) for ON operation. The following table describes for Channel 1 the state (open or closed) of its output contacts when its input
signal is in OFF or ON state, and it gives information about turn-on or turn-off of its channel status LED and channel fault LED:
Dip-switch position 1 2 3 4
ON/OFF state ON OFF Not used Not used
7
8
In
7
8
In
Supply
24 Vdc
5 + 6 -
Supply
24 Vdc
5 +
6 -
Out with
NC contact
3
4
Out relay is de-energized,
out contact is closed
Safety
PLC
Input
3
4
Input signal state
Pins 7-8
Out relay contact state
Pins 1-2 (with NO contact)
Channel status
yellow LED
state
Channel fault
red LED state
Proximity is OFF or switch is open Open (De-energize relay) OFF OFF
Proximity is ON or switch is closed Closed (Energized relay) ON OFF
If the input line is break Open (safe state condition) OFF ON
If the input line is in short circuit Open (safe state condition) OFF ON
Out relay contact state
Pins 3-4 (with NC contact)
Closed (De-energize relay)
Open (Energized relay)
Closed (safe state condition)
Closed (safe state condition)
Out with
NO contact
Out with
NC contact
Out relay is energized,
out contact is open
Safety
PLC
Input
PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤ 10% of total SIF dangerous failures:
Systematic capability SIL 3.
T[Proof] = 20 years
PFDavg = 4.50 E-03 Valid for SIL 2
T[Proof] = 1 year T[Proof] = 4 years
PFDavg = 2.25 E-04 Valid for SIL 2 PFDavg = 8.99 E-04 Valid for SIL 2
PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table: