D1033
- SIL 2 Switch / Proximity Detector Repeater Transistor Output
G.M. International ISM0043-15
7
Functional Safety Manual and Application
Application for D1033D
Safety Function and Failure behavior:
D1033D is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.
The failure behaviour of D1033D is described by the following definitions:
□
fail-Safe State: it is defined as the output being de-energized (so that the output transistor is de-energized).
□
fail Safe: failure mode that causes the module / (sub)system to go to the defined fail-safe state without a demand from the process.
□
fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state), so that the output remains energized.
□
fail “No Effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure. When calculating the SFF,
this failure mode is not taken into account;
□
fail “Not Part”: failure mode of a component which is not part of the safety function but which is part of the circuit diagram and is listed for completeness. When calculating the SFF,
this failure mode is not taken into account.
Failure rate date: taken from Siemens Standard SN29500.
Description:
For this application, input line fault (open or short) detection is enabled, the output transistor are actuated in parallel and the direct input to output transfer function is selected, setting
the internal dip-switches in the following mode (see page 13-14 for more information):
OFF operation
ON operation
The module is powered by connecting 24 Vdc power supply to Pins 3 (+ positive) - 4 (- negative). The green LED is lit in presence of the power supply line. Input signals from field are
applied to Pins 13-14 (In 1 - Ch.1) and Pins 15-16 (In 2 - Ch.2). The transistor outputs (Out 1-A and Out 2-A) are both normally open (or transistor de-energized as safe state
condition) for OFF operation, while they are both closed (or transistor energized) for ON operation. Only Out 1-A and 2-A are functional safety related, while Out 1-B as Out 1-A
Duplicator and Out 2-B as Out 2-A Duplicator are only for service purpose, not functional safety related. The following table describes, for each channel, the state (open or closed) of its
output when its input signal is in OFF or ON state, and it gives information about turn-on or turn-off of the related channel status LED and channel fault LED:
Failure category
Failure rates (FIT)
λ
dd
= Total Dangerous Detected failures
0.00
λ
du
= Total Dangerous Undetected failures
35.07
λ
sd
= Total Safe Detected failures
0.00
λ
su
= Total Safe Undetected failures
107.54
λ
tot safe
= Total Failure Rate (Safety Function) =
λ
dd
+
λ
du
+
λ
sd
+
λ
su
142.61
MTBF (safety function, one channel) = (1 /
λ
tot safe
) + MTTR (8 hours)
800 years
λ
no effect
= “No Effect” failures
116.69
λ
not part
= “Not Part” failures
218.50
λ
tot device
= Total Failure Rate (Device) =
λ
tot safe
+
λ
no effect
+
λ
not part
477.80
MTBF (device, one channel) = (1 /
λ
tot device
) + MTTR (8 hours)
238 years
λ
sd
λ
su
λ
dd
λ
du
SFF
0.00 FIT
107.54 FIT
0.00 FIT
35.07 FIT
75.41%
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:
PFDavg vs T[Proof] table
(assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes
≤
10% of total SIF dangerous failures:
Failure rates table according to IEC 61508:2010 Ed.2 :
Failure rate table:
Systematic capability SIL 3.
T[Proof] = 1 year
T[Proof] = 6 years
PFDavg = 1.54 E-04 - Valid for
SIL 2
PFDavg = 9.23 E-04 - Valid for
SIL 2
T[Proof] = 10 years
PFDavg = 1.54 E-03 - Valid for
SIL 2
Dip-switch position
1 2 3 4
ON/OFF state
ON OFF ON OFF
Dip-switch position
1
ON/OFF state
ON
2
ON
3
ON
4
ON
5
OFF
6
ON
7
OFF
8
ON
8 positions
Dip-switch:
4 positions
Dip-switch:
D1033D
(Ch.1 and Ch.2)
Field Input: proximity is OFF
or switch is open
Field Input: proximity is OFF
or switch is open
Channel 1
Channel 2
Out 2-A
5
6 Common Channel 2
1
2 Common Channel 1
Out 1-A
Supply
24 Vdc
3 +
- 4.
Out 1-A relay is de-energized,
out contact is open
Safety
PLC Input
13
14
In 1
15
16
In 2
Out 2-A relay is de-energized,
out contact is open
Out 2-B
8
6 Common Channel 2
7
2 Common Channel 1
Out 1-B
Out 1-B is Out 1-A Duplicator
Out 2-B is Out 2-A Duplicator
Safety
PLC Input
Safety
PLC Input
Safety
PLC Input
D1033D
(Ch.1 and Ch.2)
Field Input: proximity is ON
or switch is closed
Field Input: proximity is ON
or switch is closed
Channel 1
Channel 2
Out 2-A
5
6 Common Channel 2
1
2 Common Channel 1
Out 1-A
Supply
24 Vdc
3 +
- 4.
Out 1-A relay is energized,
out contact is closed
Safety
PLC Input
13
14
In 1
15
16
In 2
Out 2-A relay is energized,
out contact is closed
Out 2-B
8
6 Common Channel 2
7
2 Common Channel 1
Out 1-B
Safety
PLC Input
Safety
PLC Input
Safety
PLC Input
Input signal state
Pins 13-14 (In 1 - Ch.1) or 15-16 (In 2 - Ch.2)
Output transistor state
Out 1-A or Out 2-A
(Functional safety related output)
Proximity sensor is OFF or switch is open
Open (De-energized transistor)
Proximity sensor is ON or switch is closed
Closed (Energized transistor)
The input line is broken
Open (De-energized transistor as safe state condition)
The input line is in short circuit
Open (De-energized transistor as safe state condition)
1-A or 2-A
Ch. status
yellow
LED state
OFF
ON
OFF
OFF
1-A or 2-A
Ch. fault
red LED
state
OFF
OFF
ON
ON
Output transistor state
Out 1-B or Out 2-B
(for service purpose,
not safety related output)
Open
Closed
Open
Closed
1-B or 2-B
Ch. status
yellow LED
state
OFF
ON
OFF
ON
1-B or 2-B
Ch. fault
red LED
state
OFF
OFF
OFF
OFF
Out 1-B is Out 1-A Duplicator
Out 2-B is Out 2-A Duplicator
