6
D5290S-078
- 5 A SIL 3 Relay Output Module
G.M. International ISM0152-8
Functional Safety Manual and Applications
22
21
20
23
24-19
18-13
17
14
Application D5290S-078 - SIL 3 Load Normally Energized Condition (NE) and Normally Energized Relay:
one common driving signal from PLC for both NE loads (A and B), with interruption of only one load supply line
B
NE
Load
SIL 3
PLC
Output ON
24 Vdc
Normal state operation
De-energized to trip operation
Service
Load B
(Not SIL)
A
NE
Load
SIL 3
16
15
Service
Load A
(Not SIL)
22
21
20
23
24-19
18-13
17
14
B
NE
Load
SIL 3
PLC
Output OFF
0 Vdc
Service
Load B
(Not SIL)
A
NE
Load
SIL 3
16
15
Service
Load A
(Not SIL)
+ / AC (for load A and its service load)
+ / AC (for load B and its service load)
+ / AC (for load A and its service load)
+ / AC (for load B and its service load)
- / AC (for load A and its service load)
- / AC (for load B and its service load)
- / AC (for load A and its service load)
- / AC (for load B and its service load)
2)
Input Signal
Pins 1-2 or 3-4
Pins
13-14
Pins
15-16
NE Load A (SIL3)
Pins 15-Supply
NE Load B (SIL 3)
Pins 22-Supply
Service
Load A
High (24 Vdc)
Closed Closed
Energized Energized De-Energized
Low (0 Vdc)
Open
Open
De-Energized De-Energized
Energized
Service
Load B
De-Energized
Energized
Pins
23-24
Closed
Open
Pins
21-22
Closed
Open
Operation
Normal
Trip
Pins
17-18
Open
Closed
Pins
19-20
Open
Closed
Description:
Input Signal from PLC/DCS is normally High (24 Vdc) and is applied to pins 1-2 or 3-4 in order to Normally Energize (NE) the internal relays.
Input Signal from PLC/DCS is Low (0 Vdc) during “de-energize to trip” operation, in order de-energize the internal relays.
Load A (and Load B if present) is Normally Energized (NE) therefore its safe state is to be de-energized.
Disconnection of Loads A and B is done by disconnecting one supply line via two separate contacts.
Service Load A (and Service Load B if present) is normally de-energized, therefore it energizes during “de-energize to trip” operation.
The following table describes the status (open or closed) of each output contact when input signal is High or Low.
Safety Function and Failure behavior:
D5290S-078 is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In the 2nd Functional Safety application, the normal state operation of relay module is energized, with NE (Normally Energized) loads.
In case of alarm or request from process, the relay module is de-energized (safe state), de-energizing loads.
The failure behaviour of relay module is described by the following definitions:
□
fail-Safe State: it is defined as the output load being de-energized;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state), so that the output load remains energized.
In addition, there are other definitions of failure behaviours which are not safety-related:
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this
failure mode is not taken into account. It is also not considered for the total failure rate evaluation.
Failure rate date: taken from Siemens Standard SN29500.
Failure rates table according to IEC 61508:2010 Ed.2 :
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
190.02 FIT
0.00 FIT
1.60 FIT
99.17%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
T[Proof] = 1 year
T[Proof] = 10 years
PFDavg = 7.01 E-06 - Valid for
SIL 3
PFDavg = 7.01 E-05 - Valid for
SIL 3
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
T[Proof] = 20 years
PFDavg = 1.40 E-04 - Valid for
SIL 3
Failure rate table:
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
1.60
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
190.02
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
191.62
λ
not part
= “Not Part” failures
0.60
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
284.60
MTBF (device, single channel) = (1 /
λ
tot device
) + MTTR (8 hours)
401 years
MTTF
S
(Total Safe) = 1 / (
λ
sd
+
λ
su
)
600 years
MTTF
D
(Dangerous) = 1 /
λ
du
71347 years
λ
no effect
= “No effect” failures
92.38
MTBF (safety function, single channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
595 years
Systematic capability SIL 3.
