DRAFT - 26 March 2015
DRAFT - 26 March 2015
SM45-55-SAD Rev 3
5
4
2
System configuration
An MTLx52x loop-powered module may be used in single-channel (1oo1) safety functions up to SIL3 and an
MTLx52x separately powered module may similarly be used up to SIL2 where the safe state is to de-energise
the output.
The figure below shows the system configuration and specifies detailed interfaces to the safety related and non
safety-related system components. It does not aim to show all details of the internal module structure, but is
intended to support understanding for the application.
The MTLx52x modules are designed to power a field device such as a solenoid valve in the hazardous area and
are driven from a safe-area source. The yellow (hatched) area shows the safety relevant system connection when
using the loop-powered configuration. For simplicity the term ‘PLC’ has been used to denote the safety system
performing the driving function of the process loop.
2.1
Associated System Components
There are many parallels between the loop components that must be assessed for intrinsic safety as well as
functional safety where in both situations the contribution of each part is considered in relation to the whole.
The MTLx52x module is a component in the signal path between safety-related actuators and safety-related
control systems.
The solenoid valve, or other field device, must be suitable for the process and have been assessed and verified
for use in functional safety applications as well as its certification for hazardous area mounting.
3
Selection of Product and Implications
For the loop-powered modules there is only one function: to energize the output when power is applied to the input.
This may be used as a safety function, preferably with power off as the safe state, i.e de-energise to safe.
When the module is loop powered, the output cannot be energised if the input is de-energised.
There is no significant energy storage within the module that could delay the de-energising of the output. The module
can be considered as a dc transformer where the output will de-energise to within 10% of its final value within 100ms
with a load up to 4kΩ.
Thus, when used in a de-energise to safe function, as identified in the next section the dangerous undetected failures
rate
λ
du
for the loop-powered MTL4/5521 modules is less than the maximum failure rate normally applied for SIL3
systems with 1oo1 architecture.
This is considering the hardware failure rate only and the user must consider the systematic implications of applying
this equipment in safety functions where a number of safety-related subsystem channels are implemented to achieve
the requisite hardware fault tolerance.
For the separately powered modules which are controlled by a logic signal, the hardware failure rate and
systematic considerations indicate limiting the use of such modules to simplex (1oo1) loops achieving up to SIL2
for a de-energise to safe function.
