DRAFT - 26 March 2015
SM45-55-SAD Rev 3
7
6
4.2
Systematic Safety Integrity
The design features and techniques/measures used to avoid systematic faults give the MTLx52x modules a
systematic safety integrity measure of SC 3.
Note: Earlier versions of this manual (Revisions 1 & 2) inferred a systematic safety integrity for MTLx52x
modules of SC 2. Subsequent independent assessment of the design features and techniques/measures used
to avoid systematic faults has allowed the modules to be awarded SC 3. No change has been made to the
product designs; the SC 3 systematic integrity measure therefore applies retrospectively to MTLx52x modules
installed under previous revisions of this manual.
4.3
SIL capability
Considering both the hardware safety integrity and systematic capability, the modules may be used as follows:
4.3.1 Loop-powered modules
Loop-powered modules may be used in SIL 3 safety functions in a simplex architecture (HFT =0) where the
required element safety function is to de-energise the output. In this application, loop-powered modules are
inherently incapable of powering the field device if no power is applied to the input. Where the required element
safety function is to energise the output, loop-powered modules may be used in SIL 1 safety functions in a
simplex architecture.
4.3.2 Separately-powered modules
The Separately-powered modules may be used in SIL 2 safety functions in a simplex architecture (HFT =0)
where the required element safety function is to de-energise the output. Duplication of modules in a voting
architecture may be used to achieve HFT=1. Where the required element safety function is to energise the
output, loop-powered modules may be used in SIL 1 safety functions in a simplex architecture.
Note: Independent of hardware architecture and systematic capability considerations, the hardware probability
of failure for the entire safety function needs to be calculated for the application to ensure the required PFH (for
a high or continuous demand safety function) or PFD
AVG
(for a low demand safety function) for the SIL is met.
The ‘SIL Capability’ statement assumes that no more than 10% of the probability of dangerous (undetected)
failure budget is used by the MTLx52x.
4.4 EMC
The MTL4500 and MTL5500 modules are designed for operation in normal industrial electromagnetic environment
but, to support good practice, modules should be mounted without being subjected to undue conducted or
radiated interference, see Appendix A for applicable standards and levels.
It is important that the effect of electromagnetic interference on the operation of any safety function is reduced
where possible. For this reason it is recommended that the cable connections from the logic solver to the isolator
modules be a maximum of 30 metres and are not exposed to possible induced surges, keeping them inside a
protected environment.
Any maintenance or other testing activity should only be conducted when the field loop is not in service, to avoid
any possibility of introducing a transient change in the field signal.
4.5 Environmental
The MTL4500 and MTL5500 modules operate over the temperature range from -20°C to +60°C, and at up to 95%
non-condensing relative humidity.
The modules are intended to be mounted in a normal industrial environment without excessive vibration, as
specified for the MTL4500 & MTL5500 product ranges. See Appendix A (Clause 7.1) for applicable standards and
levels.
Continued reliable operation will be assured if the exposure to temperature and vibration are within the values
given in the specification.