9
D5290S-078
- 5 A SIL 3 Relay Output Module
G.M. International ISM0152-8
Functional Safety Manual and Applications
18-13 or 19-24
17 or 20
14 or 23
Application D5290S-078 - SIL 3 Load Normally De-energized Condition (ND) and Normally De-energized Relay,
with interruption of only one load supply line
PLC
Output OFF
0 Vdc
Normal state operation
Energized to trip operation
ND
Load
SIL 3
16
15
Service
Load
(Not SIL)
+ / AC
- / AC
5)
21
22
18-13 or 19-24
17 or 20
14 or 23
PLC
Output ON
24 Vdc
ND
Load
SIL 3
16
15
Service
Load
(Not SIL)
+ / AC
- / AC
21
22
Operation
Input Signal
Pins 1-2 or 3-4
Pins 13-14
or 23-24
Pins
15-16
Pins
21-22
ND Load (SIL 3)
Pins 14 (or 23),16,21-Supply
Pins 17-18
or 19-20
Service
Load
Normal
Low (0 Vdc)
Open
Open
Open
De-Energized
Closed Energized
Trip
High (24 Vdc)
Closed
Closed Closed
Energized
Open De-Energized
Description:
Input Signal from PLC/DCS is normally Low (0 Vdc) and is applied to pins 1-2 or 3-4 in order to Normally De-energize (ND) the internal relays.
Input Signal from PLC/DCS is High (24 Vdc) during “energize to trip” operation, in order energize the internal relays.
Load is Normally De-Energized (ND) therefore its safe state is to be energized. Load is connected in parallel to pins 14 (or 23) and 16 and 21.
Disconnection of Load is done by disconnecting one supply line via three separate contacts in parallel.
Service Load is normally energized, therefore it de-energizes during “energize to trip” operation.
The following table describes the status (open or closed) of each output contact when input signal is High or Low.
Safety Function and Failure behavior:
D5290S-078 is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
In the 5th Functional Safety application, the normal state operation of relay module is de-energized, with ND loads.
In case of alarm or request from process, the relay module is energized (safe state), energizing loads.
The failure behaviour of all relay modules here considered is described by the following definitions:
□
fail-Safe State: it is defined as the output load being energized;
□
fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to defined fail-safe state), so that output load remains de-energized.
In addition, there are other definitions of failure behaviours which are not safety-related:
□
fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;
□
fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this
failure mode is not taken into account. It is also not considered for the total failure rate evaluation.
Failure rate date: taken from Siemens Standard SN29500.
Failure rates table according to IEC 61508:2010 Ed.2 :
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
299.70 FIT
0.00 FIT
3.60 FIT
98.81%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 1.58 E-05 - Valid for
SIL 3
PFDavg = 9.46 E-05 - Valid for
SIL 3
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
Failure rate table:
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
3.60
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
299.70
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
303.30
λ
not part
= “Not Part” failures
0.00
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
402.60
MTBF (device, single channel) = (1 /
λ
tot device
) + MTTR (8 hours)
283 years
MTTF
S
(Total Safe) = 1 / (
λ
sd
+
λ
su
)
380 years
MTTF
D
(Dangerous) = 1 /
λ
du
31709 years
λ
no effect
= “No effect” failures
99.30
MTBF (safety function, single channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
376 years
T[Proof] = 20 years
PFDavg = 3.15 E-04 - Valid for
SIL 3
Systematic capability SIL 3.
