6
D5091
- 5 A SIL 3 Relay Output Module for ND Load with ND or NE Relay condition
G.M. International ISM0110-12
Functional Safety Manual and Applications
Application for D5091S - SIL Load Normally De-Energized Condition (ND) and Normally Energized Relay
Normal state operation
De-energized to trip operation
8
Service
Load
7 - 9
- / AC
+ / AC
PLC
Output ON
24 Vdc
10
Load
SIL3
- / AC
+ / AC
Service
Load
PLC
Output OFF
0 Vdc
8
7 - 9
10
Load
SIL3
Description:
Input Signal from PLC/DCS is normally High (24 Vdc) and is applied to pins 1-2 in order to Normally Energize (NE) the internal relays.
Input Signal from PLC/DCS is Low (0 Vdc) during “de-energized to trip” operation, in order to de-energize the internal relays.
The Load is Normally De-Energized (ND), therefore its safe state is to be energized; the Service Load is normally energized, therefore it de-energizes during
“de-energized to trip” operation.
Disconnection of the ND Load is done on only one load line supply.
The following table describes the status (open or closed) of each output contact when the input signal is High or Low.
Safety Function and Failure behavior:
D5091S is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In the 2nd Functional Safety application, the normal state operation of relay module is energized, with ND (Normally De-Energized) load.
In case of alarm or request from process, the relay module is de-energized (safe state), energizing the load.
The failure behaviour of the relay module is described by the following definitions:
□
fail-Safe State: it is defined as the output load being energized;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),
so that the output load remains de-energized.
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
When calculating the SFF this failure mode is not taken into account.
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into account.
Failure rate date: taken from Siemens Standard SN29500.
Failure rate table:
Failure rates table according to IEC 61508:2010 Ed.2 :
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
Systematic capability SIL 3.
Operation
Input Signal
Pins 1-2
Pins
7/9- 8
Pins
7/9 - 10
ND Load (SIL3)
Pins 10 — - / ACSupply
Service Load (Not SIL)
Pins 8 — - / ACSupply
Normal
High (24 Vdc)
Closed Open
De-Energized
Energized
Trip
Low (0 Vdc)
Open
Closed Energized
De-Energized
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
1.60
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
191.40
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
193.00
MTBF (safety function, single channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
591 years
λ
no effect
= “No effect” failures
209.60
λ
not part
= “Not Part” failures
0.00
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
402.60
MTBF (device, single channel) = (1 /
λ
tot device
) + MTTR (8 hours)
283 years
MTTF
S
(Total Safe) = 1 / (
λ
sd
+
λ
su
)
596 years
MTTF
D
(Dangerous) = 1 /
λ
du
71347 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
191.40 FIT
0.00 FIT
1.60 FIT
99.17%
T[Proof] = 1 year
T[Proof] = 14 years
PFDavg = 7.01 E-06 - Valid for
SIL 3
PFDavg = 9.81 E-05 - Valid for
SIL 3
2)
T[Proof] = 20 years
PFDavg = 1.40 E-04 - Valid for
SIL 3
