Gm international Psd1210 User manual

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc ISM0076-7

PSD1206 - PSD1210

INSTRUCTION MANUAL

SIL 3 - SIL 2 Switching Power Supply

24Vdc, 10A, 250W Output, Zone 2/Div. 2

DIN-Rail Mounting Model PSD1210

SIL 3 - SIL 2 Switching Power Supply

24Vdc, 6A, 150W Output, Zone 2/Div. 2

DIN-Rail Mounting Model PSD1206

2 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

General Description: The PSD1206 or PSD1210 is a DIN-Rail Power Supply to supply process control equipment and can be located in Safe Area/ Non Hazardous Location or

Zone 2 / Division 2 Hazardous Area / Hazardous Location. PSD1206 provides 24 Vdc nominal with 6 A output current and isolation between input - output - ground (2000 V).

PSD1210 provides 24 Vdc nominal with 10 A output current and isolation between input - output - ground (2000V). These supply units can be paralleled for redundancy operation to

increase availability upgrading the system from SIL 2 to SIL 3 or to increase the output power. Internal power diode for parallel operation prevents fault propagation in parallel

connected supply systems and load sarin distributes current load equally to each power supply to increase reliability and reduce internal power dissipation.

Signalling LED: Power supply status indication (green).

Alarm: Output voltage deviation ≥± 5 % from nominal 24 Vdc. Power ON led is off when output voltage is in overvoltage condition or is blinking in undervoltage or overload condition.

Overvoltage protection: Three independent overvoltage protections: 1 voltage limiting loop at 27 Vdc and 1 + 1 crowbars at 29 Vdc.

Periodical testing: builtin provisions for on-site T-proof test without having to remove the enclosure.

EMC: Fully compliant with CE marking applicable requirements.

High load fuse breaking capacity: In case of short circuit of one of the loads, the output current has a peak of 430 A for a duration of 0.5 ms (40 times the max. value) and then

reaches 12 A (max. value) after 1.5 ms. For two units in parallel this current reaches 860 A (80 times the max. value). This characteristic ensures the instant breakage of the protective

fuse or circuit breaker. Because of the very short peak duration, other equipments connected are not affected by the failure event and continue to operate without interruption.

Refer to instruction manual ISM0076 for a detailed diagram of the output current.

PSD1206 Switching Power Supply 24 Vdc 6A Output

PSD1210 Switching Power Supply 24 Vdc 10A Output

Characteristics........................................................................................................................................................................... 2

Technical Data .......................................................................................................................................................................... 2

Ordering Information ................................................................................................................................................................. 3

Features .................................................................................................................................................................................... 3

Function Diagram...................................................................................................................................................................... 3

Warning..................................................................................................................................................................................... 4

Storage...................................................................................................................................................................................... 4

Disposal..................................................................................................................................................................................... 4

Operation................................................................................................................................................................................... 5

Installation ................................................................................................................................................................................. 5

Start-up...................................................................................................................................................................................... 6

High load fuse breaking capacity .............................................................................................................................................. 6

Functional Safety Manual for Safety Related Systems and SIL2, SIL3 Applications................................................................ 6

Functional Safety Specifications from EXIDA analysis and report according IEC 61508 – IEC 61511 .................................... 7

Definitions.................................................................................................................................................................................. 7

General Terms .......................................................................................................................................................................... 8

Assumptions.............................................................................................................................................................................. 8

Summary of Data from EXIDA .................................................................................................................................................. 9

Notes....................................................................................................................................................................................... 12

Possible Proof Tests to reveal Dangerous Undetected Faults................................................................................................ 13

Impact of lifetime of critical components on Failure Rate........................................................................................................ 17

Influence of PFDavg calculation on efficiency of Proof Test for a 1oo1 architecture. ............................................................. 17

48 Vdc Output with connection in series of power supply....................................................................................................... 17

48 Vdc Output with 100 % redundance................................................................................................................................... 18

Side A Configuration ............................................................................................................................................................... 19

Side B configuration ................................................................................................................................................................ 20

Characteristics

Index

Supply: Input voltage: 95 to 264 Vac (48 to 62 Hz) or 115 to 350 Vdc. Limit supply voltage to 250 Vrms for Instrinsic Safety applications.

Power Factor Correction (AC input): 0.95.

Efficiency: higher than 80 %.

Max. internal power dissipation PSD1206: 30 W.

Max. internal power dissipation PSD1210: 50 W

AC input current (sinusoidal at full load) PSD1206: 0.8 A @ 230 Vac supply voltage, 1.7 A @ 115 Vac supply voltage

AC input current (sinusoidal at full load) PSD1210: 1.4 A @ 230 Vac supply voltage, 2.8 A @ 115 Vac supply voltage

Protection: 6.5 A fuse (dual). Connection: plug-in terminal block for 4 mm2wire.

Isolation: Input to output isolation: 2000 Vrms (routine test).

Input to ground isolation: 2000 Vrms (routine test).

Output: Output voltage: 24 Vdc (adjustable from 22.8 to 25.2 Vdc).

Regulation: 0.2 % for a 100 % load change.

Stability: 0.1 % for a 20 % line voltage change.

Ripple: ≤50 mVpp.

Output current PSD1206: 6 A nominal. Parallel connection for redundancy with load sharing.

Output current PSD1210: 10 A nominal, 12 A maximum. Parallel connection for redundancy with load sharing.

Technical Data

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Connection: plug-in terminal block for 4 mm2wire.

Hold-up time at full load: 100 ms (AC input).

Over voltage protection: output limited to 27 Vdc plus redundant crowbars for over voltage protection at 29 Vdc.

Power good signalling: Output good: 0.95 ≤Vout ≤1.05 nominal value.

Indication: power good green LED, OFF in overvoltage condition or blinking in undervoltage or overload condition.

Signalling: voltage free SPST normally energized optocoupled open-collector transistor, de-energize in overvoltage/undervoltage/overload conditions.

Open-collector rating: 100 mA at 35 V (≤2.0 V voltage drop)

Leakage current: ≤50 µA at 35 V.

Connection: plug-in terminal block for 2.5 mm2wire.

Compatibility:

CE mark compliant, conforms to EN61000-6-2, EN61000-6-4, EN60950 for electrical safety and 89/336/CEE EMC Directive.

Environmental conditions:

Operating temperature limits: -20 to + 60 °C.

Relative humidity limits (up to 40 °C): 10 to 90 %, non condensing.

Transport, storage temperature limits: - 45 to + 80 °C.

Safety Description:

ATEX Category 3 for Zone 2. II 3 G EEx nA IIC T4, -20 °C ≤Ta ≤60 °C. AEx nA T3 for FM certification, -20 °C ≤Ta ≤60 °C.

Approvals: DNV-2006-OSL-ATEX-0099X conforms to EN60079-15, FM & FM-C No. 3024643, 3029921C, conforms to Class 3600, 3611, 3810 and C22.2 No.142, C22.2 No.213,

E60079-0, E60079-15, EXIDA Report No. GMI 06/11-20 R004, SIL 1 / SIL 2 / SIL 3 according to IEC 61508. Please refer to Functional Safety Manual for SIL applications.

Mechanical: Mounting: T35 DIN Rail according to EN50022.

Weight PSD1206: about 1.8 Kg. Weight PSD1210: about 2.5 Kg.

Location: Safe Area/Non Hazardous Locations or Zone 2, Group IIC T4, Class I, Division 2, Groups A, B, C, D Temperature Code T3 and Class I, Zone 2, Group IIC, IIB, IIA

T3 installation.

Protection class: IP 20.

Dimensions PSD1206: width 200 mm, height 95 mm, depth 110 mm.

Features

• SIL 3 according to IEC 61508 for Tproof = 3 / 6 years (10 / 20 % of total SIF,

two units in parallel with NE Load).

• SIL 2 according to IEC 61508 for Tproof = 9 / 10 years (10 / 20 % of total SIF,

two units in parallel with ND Load).

• SIL 2 according to IEC 61508 for Tproof = 1 / 3 years (10 / 20 % of total SIF,

single unit with NE Load).

• SIL 1 according to IEC 61508 for Tproof = 5 / 10 years (10 / 20 % of total SIF,

single unit with ND Load).

• PFDavg (1 year) 3.03 E-05, SFF 99 % (2 units, NE Load).

• PFDavg (1 year) 8.09 E-05, SFF 97 % (2 units, ND Load).

• PFDavg (1 year) 5.90 E-04, SFF 80 % (1 unit, NE Load).

• PFDavg (1 year) 1.53 E-03, SFF 48 % (1 unit, ND Load).

• Universal AC / DC Input, 95 to 264 Vac (48 to 62 Hz) or 115 to 350 Vdc.

• Installation in Zone 2, Division 2.

• ATEX, FM & FM-C Certifications.

Ordering information

Model: PSD1206 Model: PSD1210

SAFE AREA, ZONE 2 GROUP IIC T4,

NON HAZARDOUS LOCATIONS, CLASS I, DIVISION 2, GROUPS A, B, C, D T-Code T3, CLASS I, ZONE 2, GROUP IIC T3

Function Diagram

++- - -+ L/+N/-

Current

Sharing

Fault

Output

Supply

Input

24 Vdc

Output

SIL 2

MODELS PSD1206 - PSD1210

• Power Factor Correction eliminates power-line harmonics loading.

• High load fuse breaking capacity without interrupting operation.

• PSD1206 Highly regulated, trimmable output of 24 Vdc up to 6 A.

• PSD1210 Highly regulated, trimmable output of 24 Vdc up to 10 A.

• 3 over-voltage redundant protections prevent risks to the load.

• Supports redundant parallel connection with load sharing.

• Under-Over voltage alarm monitoring with signalling output (± 5 %).

• Under-Over voltage LED indication.

• 100 ms hold-up time at full load, mitigates power-line glitches.

• Durable metal enclosure, improves shielding and heat sinking.

• High (better than 80 %) efficiency.

• Simplified installation using standard DIN-Rail and plug in input and output

terminal blocks.

• Externally accessible connections for Tproof periodic test.

4 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

SAFE AREA, ZONE 2 GROUP IIC T4,

NON HAZARDOUS LOCATIONS, CLASS I, DIVISION 2, GROUPS A, B, C, D T-Code T3, CLASS I, ZONE 2, GROUP IIC T3

Function Diagram

Non-incendive field wiring is not recognized by the Canadian Electrical Code, installation is permitted in the US only.

For installation of the unit in a Class I, Division 2 or Class I, Zone 2 location, the wiring between the control equipment and the PSD1206, PSD1210 shall be accomplished via conduit

connections or another acceptable Division 2, Zone 2 wiring method according to the NEC and the CEC.

For Intrinsic Safety application limits the line supply voltage to a maximum of 250 Vrms, not to be connected to control equipment that uses or generates more than

250 Vrms or Vdc with respect to earth ground.

PSD1206, PSD1210 must be installed, operated and maintained only by qualified personnel, in accordance to the relevant national/international installation standards

(e.g. IEC/EN60079-14 Electrical apparatus for explosive gas atmospheres - Part 14: Electrical installations in hazardous areas (other than mines), BS 5345 Pt4, VDE 165, ANSI/ISA

RP12.06.01 Installation of Intrinsically Safe System for Hazardous (Classified) Locations, National Electrical Code NEC ANSI/NFPA 70 Section 504 and 505, and the Canadian Electrical

Code CEC) following the established installation rules.

The power supply must be placed in an enclosure with IP4X protection degree when used in locations providing adequate protection against the entry of solid foreign

objects or water capable of impairing safety, or be placed in an enclosure with IP54 protection degree for other locations.

De-energize main power source (turn off power supply voltage), wait at least 3 minutes to discharge internal capacitors before plug or unplug the terminal blocks when installed in

Hazardous Area/Hazardous Locations or unless area is known to be nonhazardous. Hazardous voltage are present at the input terminal block and inside the unit when connected to the

main supply voltage, do not touch electrical connection and do not put conductive object inside the unit.

Warning: substitution of components may impair Intrinsic Safety and suitability for Division 2, Zone 2.

Explosion Hazard: to prevent ignition of flammable or combustible atmospheres, disconnect power before servicing or unless area is known to be nonhazardous.

Failure to properly installation or use of the equipment may risk to damage the unit or severe personal injury.

The unit has no serviceable parts inside, do not open the enclosure. The unit cannot be repaired by the end user and must be returned to the manufacturer or his authorized

representative, any unauthorized modification must be avoided.

Warning

PSD1206, PSD1210

Power Supply

FM Approved under

non-incendive field wiring

Unclassified Locations or

Hazardous (Classified) Locations

Class I, Division 2, Groups A, B, C, D, T-Code T3

Class I, Zone 2, Group IIC, IIB, IIA, T-Code T3

Hazardous (Classified) Locations

Class I, Division 2, Groups A, B, C, D

Class II, Division 2, Groups E, F, G

Class III, Division 2

Class I, Zone 2, Group IIC, IIB, IIA

FM Approved under non-incendive field

wiring (permitted only for US installations),

UL Listed or third party approval

Non-incendive

Equipment

Unclassified Locations

-24Vdc

+24Vdc+

FLT+

L/+

N/-

FLT- -

Supply Line

Control

Equipment

Must not use or generate

more than 250 Vrms or Vdc

Storage

If after an incoming inspection the unit is not installed directly on a system (parts for spare or expansion with long storage periods) it must be conveniently stocked. Stocking area

characteristics must comply with the following parameters: Temperature: –20 to +60 °C, the –45 to +80 °C in the data sheet is meant for limited periods, mainly to arrange for air

transport, -10 to +30 °C are preferred. Humidity: 0 to 90 %, long period high humidity affects the package integrity, 0 to 60 % humidity is preferred.

Vibration: no prolonged vibration should be perceivable in the stocking area to avoid loosening of parts or fatigue ruptures of components terminals.

Pollution: presence of pollutant or corrosive gases or vapors must be avoided to prevent corrosion of conductors and degradation of insulating surfaces.

Disposal

The product should not be disposed with other wastes at the end of its working life. It may content hazardous substances for the health and the environment, to prevent possible harm

from uncontrolled waste disposal, please separate this equipment from other types of wastes and recycle it responsibly to promote the sustainable reuse of material resources.

This product should not be mixed with other commercial wastes for disposal.

MODELS PSD1206 - PSD1210

++-- -+ L/+N/-

Current

Sharing

Fault

Output 1

Supply

Input 1

24 Vdc

Output Bus

MODELS PSD1206 - PSD1210

++-- -+ L/+N/-

Current

Sharing

Fault

Output 2

Supply

Input 2

Connection for current sharing

SIL 3

PSD1206 or PSD1210 is an isolated Switching Power Supply unit installed on a standard EN50022 T35 DIN Rail located in Safe Area/Non Hazardous Locations or Zone 2, Group IIC,

Temperature Classification T4, Class I, Division 2, Groups A, B, C, D, Temperature Code T3 and Class I, Zone 2, Group IIC, IIB, IIA Temperature Code T3 Hazardous Area/Hazardous

Locations (according to EN/IEC60079-15, FM Class No.3611, CSA-C22.2 No. 213-M1987, CSA-E60079-15) within the specified operating temperature limits Tamb -20 to +60 °C and

mounting conditions.

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Operation

PSD1206, PSD1210 provides fully floating 24 Vdc supply to drive process control equipment like instrumentation, control systems, PLC or loads requiring a stabilized voltage, located in

Safe Area/Non Hazardous Locations or Zone 2, Group IIC, Temperature Classification T4, Class I, Division 2, Groups A, B, C, D, Temperature Code T3 and Class I, Zone 2, Group IIC,

IIB, IIA Temperature Code T3 Hazardous Area/Hazardous Locations ensuring that the relevant safety installation conditions are respected. PSD1206 provides a 6 A, 150 W output

capability while the PSD1210 provides a 10 A, 250 W output capability. The power supply has a switching input and a power factor correction circuit resulting in a high efficiency module.

Output is provided with a decoupling diode that permits the parallel operation to increase the current capability or redundancy operation (note that for parallel operation the output voltage

must be separately calibrated at the same value through the “Vout Adjust” trimmer to improve the current sharing operation). Output voltage can be regulated within ± 5 % of the nominal

value. Use an isolated screwdriver for trimmer adjustments. Output circuit is protected by three independent overvoltage circuit: 1 voltage limiting loop at 27 Vdc and 1 + 1 crowbars

at 29 Vdc. Output circuit has under and over voltage detection with separate signaling by an optocoupled transistor; alarm output is normally closed (energized transistor), it de-energizes

when output voltage goes out of the ± 5 % range of the nominal value. It de-energizes also with an input voltage lack. Presence of supply power and normal working condition is

displayed by a green signaling LED: this is normally ON in normal operation, is OFF in overvoltage output or input voltage lack condition and is blinking in undervoltage or overload

condition. Units is equipped with trimmers for output voltage setting and for alarm threshold setting. Example of setting output voltage and alarm threshold: suppose to have a power

supply standard with 24 Vdc output and thresholds set at 22.8-25.2 V. Suppose you want to set the output at 25 V with 23.7-26.3 V threshold value. The procedure to be used is the

following: rotate the “Vout Adjust” trimmer until the voltage has reached the new upper threshold value of 26.3 V. Rotate the “Alarm Adjust” trimmer until the “Power ON” LED turn on,

then slowly rotate until the LED turn off; in this way you set the threshold value at 26.3 V. Finally rotate the “Vout Adjust” trimmer until the output voltage has reached the new requested

value of 25 V.

Installation

The terminal block are not usable as breaking device according to EN60950. The wiring cables have to be proportionate in base to the current and the length of the cable.

For PSD1206 typical cable section is AWG15 for input connection and AWG13 for output connection. For PSD1210 typical cable section is AWG12 for input connection and AWG10 for

output connection. Identify the function and location of each connection terminal using the wiring diagram on the corresponding data sheet, as an example:

Connect AC input mains power at terminal “L/+” and “N/-” to the “Supply Line” terminal block. Connect the terminal “ “ to the protective earth of the system.

Connect positive output at terminal “+” and negative output at terminal “-” to the “24 Vdc Output” terminal block (two connections provided).

Connect if required the alarm indication at terminal “+” and “-“ to the “Fault Output” terminal block, the alarm is provided by an optocoupled transistor normally closed (energized),

it de-energizes in fault condition of the power supply. In case of parallel or redundancy operation of the power supply, connect the terminal “CS” of the “Current Sharing Bus” terminal

block at each power supply in the system.

1.5*

Vin_min

1.2*Pout

Itar =

PSD1206, PSD1210 is a switching power supply housed in a light metal enclosure suitable for installation on T35 DIN Rail according to EN50022.

PSD1206, PSD1210 unit must be mounted with horizontal (standard) orientation for –20 to +60 °C ambient temperature operation range, ensuring a proper free space of 5 cm

around the enclosure to let the necessary air flow for convection cooling.

Standard Orientation (OK)

Non Standard Orientation (Not permitted)

where Itar = circuit breaker current, Pout = requested output power, Vin_min = minimum supply voltage.

Electrical connection of conductors up to 4.0 mm² are accommodated by plug-in removable screw terminal blocks which can be plugged in/out into a powered unit without suffering or

causing any damage (for Zone 2 or Division 2 installations check the area to be nonhazardous before servicing). On the data sheet and enclosure side a block diagram identifies

all connections. The input line is internally protected by fuses (1 for each line); connect an automatic bipolar “C” intervention characteristics switch, upstream the power supply line or

other equipment to ensure compliance with local regulations. For the choice of the input automatic circuit breaker protection, it is opportune to use the following formula:

6 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

Installation and wiring must be in accordance to the relevant national or international installation standards (e.g. IEC/EN60079-14 Electrical apparatus for explosive gas atmospheres

- Part 14: Electrical installations in hazardous areas (other than mines), BS 5345 Pt4, VDE 165, ANSI/ISA RP12.06.01 Installation of Intrinsically Safe System for Hazardous (Classified)

Locations, National Electrical Code NEC ANSI/NFPA 70 Section 504 and 505, and the Canadian Electrical Code CEC), make sure that conductors are well isolated from each other and

do not produce any unintentional connection. The enclosure provides, according to EN60529, an IP20 minimum degree of mechanical protection (or similar to NEMA Standard

250 type 1) for indoor installation, outdoor installation requires an additional enclosure with higher degree of protection (i.e. IP54 to IP65 or NEMA type 12-13) consistent with the

effective operating environment of the specific installation.

The power supply must be placed in an enclosure with IP4X protection degree when used in locations providing adequate protection against the entry of solid foreign

objects or water capable of impairing safety, or be placed in an enclosure with IP54 protection degree for other locations when used for Intrinsic Safety installations.

Units must be protected against dirt, dust, extreme mechanical (e.g. vibration, impact and shock) and thermal stress, and casual contacts.

If enclosure needs to be cleaned use only a cloth lightly moistened by a mixture of detergent in water.

Any penetration of cleaning liquid must be avoided to prevent damage to the unit. Any unauthorized card modification must be avoided.

Start-up

Before powering the unit check that all wires are properly connected, particularly their polarity. Check conductors for exposed wires that could touch each other causing dangerous

unwanted shorts. Turn on power, the “power on” green led must be lit, check the supply voltage generated by PSD1206, PSD1210 is 24 Vdc.

High load fuse breaking capacity

Figure below shows the current waveform through the short circuit connection:

1) The peak short circuit current is about 430 A.

2) This peak current decays to 37 %

(time constant) within 0.5 msec.

3) The current decays to about 12 A within 1.5 msec.

4) The I2t of the short circuit current pulse is about

50 A2sec.

This Safety Manual summarizes the results of hardware assessment carried out on the PSD1206, PSD1210 Power Supply. The failure rates used in this analysis are the basic failure

rates from the Siemens standard SN 29500. According the table 2 of IEC 61508-1, the average PFD for systems operating in low demand mode has to be ≥1.00 E-03 to < 1.00 E-02

for SIL 2 safety functions. However, as the modules under consideration are only one part of an entire safety function, they have been certified claiming no more than 10% of this range.

For SIL 2 application the total PFDavg value of the SIF must be smaller than 1.00 E-02, hence the maximum allowable PFDavg value for the assed modules would then be 1.00 E-03.

The listed modules are considered to be Type A (“Non-complex” component with all failure modes well defined, for details see 7.4.3.1.2 of IEC 61508-2) components, with a hardware

fault tolerance of 0. According to table 2 of IEC61508-2, for Type A components the SFF has to be:

• less than 60% for SIL 1 (sub-) systems with a hardware fault tolerance of 0;

• between 60% and 90% for SIL 2 (sub-) systems with a hardware fault tolerance of 0;

• less than 60% for SIL 2 (sub-) systems with a hardware fault tolerance of 1;

• between 90% and 99% for SIL 3 (sub-) systems with a hardware fault tolerance of 0;

• between 60% and 90% for SIL 3 (sub-) systems with a hardware fault tolerance of 1.

Functional Safety Manual for Safety Related Systems and SIL2, SIL3 Applications

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Functional Safety Specifications from EXIDA analysis and report according IEC 61508 – IEC 61511

Model

PSD1206

Single Unit

NE Loads

PSD1206

Single Unit

ND Loads

PSD1210

Single Unit

NE Loads

PSD1210

Single Unit

ND Loads

PSD1206

2 Units

In parallel

NE Loads

PSD1206

2 Units

In parallel

ND Loads

PSD1210

2 Units

In parallel

NE Loads

PSD1210

2 Units

In parallel

ND Loads

Safety

Function

Isolated

Switching

Power

Supply

Isolated

Switching

Power

Supply

Isolated

Switching

Power

Supply

Isolated

Switching

Power

Supply

Isolated

Switching

Power

Supplies

Isolated

Switching

Power

Supplies

Isolated

Switching

Power

Supplies

Isolated

Switching

Power

Supplies

SFF

80.1 %

48.3 %

80.1 %

48.3 %

99.4 %

97.2 %

99.4 %

97.2 %

PFDavg

Per year

5.90 E-04

1.53 E-03

5.90 E-04

1.53 E-03

3.03 E-05

8.09 E-05

3.03 E-05

8.09 E-05

T Proof Test

(years)

for defined

SIL value

(10% of total

safety func.)

TI = 1 SIL 2

TI = 5 SIL 1

TI = 1 SIL 2

TI = 5 SIL 1

TI = 3 SIL 3

TI = 10 SIL 2

TI = 9 SIL 2

TI = 3 SIL 3

TI = 10 SIL 2

TI = 9 SIL 2

T Proof Test

(years)

for defined

SIL value

(20% of total

safety func.)

TI = 3 SIL 2

TI = 10 SIL 1

TI = 3 SIL 2

TI = 10 SIL 1

TI = 6 SIL 3

TI = 10 SIL 2

TI = 6 SIL 3

TI = 10 SIL 2

Hardware

Fault

Tolerance

EXIDA

or TÜV

analysis

Fail-Safe

Output

State

λSU

(FIT)

λDD

(FIT)

λDU

(FIT)

MTBF

(years)

Exida

<2V

20V<…<30V

<2V

20V<…<30V

<2V

20V<…<30V

<2V

20V<…<30V

542

327

542

327

1084

654

1084

654

135

350

135

350

6.9

18.5

6.9

18.5

134

(with

diagnostic)

134

(with

diagnostic)

134

(with

diagnostic)

134

(with

diagnostic)

(with

diagnostic)

112

(with

diagnostic)

(with

diagnostic)

112

(with

diagnostic)

In order to judge the failure behavior of the considered modules, the following definitions for the failure of the product must be considered:

• Fail-Safe State: The fail-safe state is defined as the output reaching the user defined threshold.

In normally energized (NE) loads, is defined as the output being between 20 V and 30 V (load current up to 80% of rated) or lower than 2V.

In normally de-energized (ND) loads, is defined as the output being between 20 V and 30 V (load current up to 80% of rated).

• Fail Safe: Fail that causes the output to go to the defined fail-safe state without a demand from the process.

• Fail Dangerous: with normally energized (NE) loads, failure that leads to an output higher than 30 V or between 2 V and 20 V.

With normally de-energized (ND) loads, failure that leads to an output higher than 30 V or lower than 20 V.

• Fail High: Failure mode that leads to an over voltage condition (> 30 V).

• Fail Low: Failure mode that leads to an under voltage condition (< 2 V).

• Fail “No Effect”: Failure mode of a component that is part of the safety function but has no effect on the safety function.

For the calculation of SFF it is treated like a safe undetected failure.

• Fail “Annunciation Undetected”: Failure mode that does not directly impact safety but does impact the ability to detect a future fault (such as a fault in a diagnostic circuit) and

that is not detected by internal diagnostics. For the calculation of SFF it is treated to 1 % as a dangerous failure and to 99 % as a no effect failure as in this system there are

3 different over voltage protection mechanism.

• Fail “Not part”: Failures of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness.

When calculating the SFF this failure mode is not taken into account. It is also not considered for the total failure rate evaluation.

Definitions

8 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

• DC: Diagnostic coverage (safe or dangerous) of the safety logic solver for the considered module.

• DCs: Diagnostic coverage for safe failures = λsd / (λsd + λsu).

• DCd: Diagnostic coverage for dangerous failures = λdd / (λdd + λdu).

• FIT: Failure In Time (1x10 E-9 failures per hour).

• Failure Rates: The failure rate data used in the FMEDA analysis are the basic failure rates from the Siemens SN 29500 failure rate database. The rates where chosen in a way

that is appropriate for safety integrity level verification calculations, and to mach operating stress conditions typical of an industrial field environment similar to IEC 60654-1,

class C. It is expected that the actual number of field failures will be less than the number predicted by these failure rates.

• FMEA: Failure Modes and Effects Analysis is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or

reduce the chance of failure, and to document the system in consideration.

• FMEDA: Failure Modes Effects and Diagnostic Analysis is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques

and the failure mode relevant to safety instrumented system design. It is a technique recommended to generate failure rates for each important category (safe detected, safe

undetected, dangerous detected, dangerous undetected, fail high, fail low) in the safety modules. The format for the FMEDA is an extension of the FMEA format MIL STD 1629A.

• Low demand mode: Mode where the frequency of demands for operation made on Safety-related system is no greater than one per year and no greater than twice the proof test

frequency.

• MTBF: Mean Time Between Failure.

• MTTF: Mean Time To Failure.

• MTTFS: Mean Time To safe Failure.

• MTTFD: Mean Time To dangerous Failure.

• MTTR: Mean Time To Repair.

• PFDavg: Average Probability of Failure on Demand.

• SFF: Safe Failure Fraction, according IEC 61508 summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic

measures and lead to a defined safety action.

General Terms

SUSD

SUSDDD

SFF

+++

−=

+++

with: λDD: Dangerous Detected failure rate; λDU: Dangerous Undetected failure rate

λSD: Safe Detected failure rate; λSU: Safe Undetected failure rate

• SIF: Safety Instrumented Function.

• SIS: Safety Instrumented System.

• SIL: Safety Integrity Level.

• T Proof Test & Maintenance (TI): Proof Test Interval (for example 1 - 5 - 10 years, with 1 year = 8760 hours). Maintenance time is considered 8 hours.

The following assumptions have been made during the Failure Modes, Effects, and Diagnostic Analysis of the Switching Power Supply Types PSD1206 and PSD1210.

• Failure rates are constant, wear out mechanisms are not included.

• Propagation of failures is not relevant.

• Failures during parameterization are not considered.

• Sufficient test are performed prior to shipment to verify the absence of component supplier and/or manufacturing defects that prevent proper operation of specified functionality to

product specifications or cause operation different from design analyzed.

• The device is operated in the low demand mode of operation.

• The time to restoration or repair time after a safe failure is 8 hours, as MTTR.

• Only the described versions are used for safety applications.

• Practical fault insertion tests can demonstrate the correctness of the failure effects assumed during the FMEDAs.

• The fault output is not part of the safety function.

• The common cause factor βbetween the two crowbars is estimated at be 5 %.

• The stress levels are average for an industrial environment and the assumed environment is similar to IEC 60654-1, Class C (Sheltered location) with temperature limits within the

manufacturer’s rating and an average temperature over a long period of time of 40 °C. Humidity levels are assumed within manufacturer’s rating.

• The listed failure rates are valid for operating stress conditions typical of an industrial field environment similar to IEC 60654-1 class C with an average temperature over a long

period of time of 40 °C. For a higher average temperature of 60 °C, the failure rates should be multiplied with an experience based factor of 2.5. A similar multiplier should be

used if frequent temperature fluctuation must be assumed.

• Over voltage protection has a diagnostic coverage of 99 %.

• Safety Integrity Levels as defined in IEC 61508 and IEC 61511:

Assumptions

SIL

Safety Integrity Level

SIL 4

SIL 3

SIL 2

SIL 1

PFDavg

Average probability of failure

on demand per year

(low demand)

≥10-5 to < 10-4

≥10-4 to < 10-3

≥10-3 to < 10-2

≥10-2 to < 10-1

RRF

Risk Reduction Factor

From 100000 to 10000

From 10000 to 1000

From 1000 to 100

From 100 to 10

PFDavg

Average probability of dangerous

failure on demand per hour

(high demand)

≥10-9 to < 10-8

≥10-8 to < 10-7

≥10-7 to < 10-6

≥10-6 to < 10-5

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Note: green color indicates that PFDavg of the unit is less than 10 % of the PFDavg required by its SIL level, yellow color indicates that PFDavg of the unit is more than 10 % of the

PFDavg required by its SIL level.

PSD1206, PSD1210 Isolated Power Supply, single unit, NE loads

Failure rates:

Failure rates according to IEC 61508:

Summary of Data from EXIDA

Failure category Failure rates (FIT)

Total Fail Dangerous Undetected = λdu

Fail Dangerous Undetected

Fail High (1% of Total Fail High)

Fail “Annunciation Undetected” (1% of Total Fail “Ann. Undet.”)

Total Fail Safe Undetected = λsu

Fail High (99% of Total Fail High)

Fail Low

Fail “Annunciation Undetected” (99% of Total Fail “Ann. Undet.”)

Fail “Not Part” = λnotpart

MTBF = MTTF + MTTR = 1 / (λsd + λsu + λdd + λdu + λnotpart) + MTTR

MTTFS= 1 / (λsd + λsu)

134.80

134.00

0.21

0.59

542.20

20.79

215.00

58.41

174.00

134 years

210 years

Fail “No Effect” 214.00

Λsd

0.00 FIT

λsu

542.20 FIT

λdd

0.00 FIT

λdu

134.80 FIT

SFF

80.09%

PFDavg vs T[Proof], with determination of SIL supposing module contributes 10% of entire safety function:

T[Proof] = 1 year

PFDavg = 5.90 E-04

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 3 years

PFDavg = 1.77 E-03

See Note 3 and Note 4

In the section Notes

T[Proof] = 6 years

PFDavg = 3.54 E-03

See Note 3 and Note 4

In the section Notes

Total Fail Dangerous Detected = λdd 0.00

Total Fail Safe Detected = λsd 0.00

Fail Safe Undetected 34.00

Total Failure Rate (Safety Function) = λsd + λsu + λdd + λdu 677.00

Total Failure Rate (Device) = λsd + λsu + λdd + λdu + λnotpart 851.00

MTTFD= 1 / λdu 847 years

T[Proof] = 10 years

PFDavg = 5.90 E-03

See Note 3 and Note 4

In the section Notes

PFDavg vs T[Proof], with determination of SIL supposing module contributes 20% of entire safety function:

T[Proof] = 1 year

PFDavg = 5.90 E-04

Valid for SIL 2

See Note 7 in the section Notes

T[Proof] = 3 years

PFDavg = 1.77 E-03

Valid for SIL2

See Note 7 in the section Notes

T[Proof] = 6 years

PFDavg = 3.54 E-03

See Note 8 and Note 9

In the section Notes

T[Proof] = 10 years

PFDavg = 5.90 E-03

See Note 8 and Note 9

In the section Notes

10 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

PSD1206, PSD1210 Isolated Power Supply, 2 units in parallel

One way to calculate the PFDavg of a system with 2 power supply units in parallel architecture is by using the fault tree as presented in following figure:

System of two PSD12xx connected in

parallel architecture fails undetected

Both PSD12xx fail because of

common cause (ß = 5 %)

First PSD12xx

fails undetected

Second PSD12xx

fails undetected

PSD1206, PSD1210 Isolated Power Supply, single unit, ND loads

Failure rates:

Failure rates according to IEC 61508:

Λsd

0.00 FIT

λsu

327.20 FIT

λdd

0.00 FIT

λdu

349.80 FIT

SFF

48.33%

PFDavg vs T[Proof], with determination of SIL supposing module contributes 10% of entire safety function:

Failure category Failure rates (FIT)

Total Fail Dangerous Undetected = λdu

Fail Dangerous Undetected

Fail High (1% of Total Fail High)

Fail “Annunciation Undetected” (1% of Total Fail “Ann. Undet.”)

Total Fail Safe Undetected = λsu

Fail High (99% of Total Fail High)

Fail Low

Fail “Annunciation Undetected” (99% of Total Fail “Ann. Undet.”)

Fail “Not Part” = λnotpart

MTBF = MTTF + MTTR = 1 / (λsd + λsu + λdd + λdu + λnotpart) + MTTR

MTTFS= 1 / (λsd + λsu)

349.80

134.00

0.21

0.59

327.20

20.79

215.00

58.41

174.00

134 years

349 years

Fail “No Effect” 214.00

Total Fail Dangerous Detected = λdd 0.00

Total Fail Safe Detected = λsd 0.00

Fail Safe Undetected 34.00

Total Failure Rate (Safety Function) = λsd + λsu + λdd + λdu 677.00

Total Failure Rate (Device) = λsd + λsu + λdd + λdu + λnotpart 851.00

MTTFD= 1 / λdu 326 years

PFDavg vs T[Proof], with determination of SIL supposing module contributes 20% of entire safety function:

T[Proof] = 1 year

PFDavg = 1.53 E-03

Valid for SIL 1

See Note 9 in the section Notes

T[Proof] = 10 years

PFDavg = 1.53 E-02

Valid for SIL1

See Note 9 in the section Notes

T[Proof] = 1 year

PFDavg = 1.53 E-03

Valid for SIL 1

See Note 4 in the section Notes

T[Proof] = 5 years

PFDavg = 7.66 E-03

Valid for SIL 1

See Note 4 in the section Notes

T[Proof] = 9 years

PFDavg = 1.38 E-02

See Note 5 in the section Notes

T[Proof] = 10 years

PFDavg = 1.53 E-02

See Note 5 in the section Notes

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

The probability of this system to fail is calculated as follows, considering 5 % βcommon cause factor, between the two power supply units PSD12xx:

()

_ System _ PSD12xx _ PSD12xx

() () ()1

AVG AVG AVG

DU DU

TI x years TI x years TI x yearsPFD PFD PFD

TI TI

ββ

βλ β λ

== ==⋅ + − ⋅ =

⎛⎞

=⋅ ⋅ + − ⋅ ⋅

⎜⎟

⎝⎠

where = Dangerous Undetected failure rate of PSD12xx; = Proof Test Interval.

NE loads

For 2 power supply units in parallel architecture driving NE loads, it’s possible to calculate the system probability to fail for different values by using previous

_System ()

AVG TI x yearsPFD =equation and replacing _ PSD12xx ()

AVG TI x yearsPFD =or

with values in NE loads tables (pag.11)

In following table, it’s reported the _System()

AVG TI x yearsPFD =with determination of SIL supposing module contibutes 10% of total SIF

ND loads

For 2 power supply units in parallel architecture driving ND loads, it’s possible to calculate the system probability to fail for different values by using previous

_System ()

AVG TI x yearsPFD =equation and replacing _ PSD12xx ()

AVG TI x yearsPFD =or

with values in ND loads tables (pag.12)

In following table, it’s reported the _System ()

AVG TI x yearsPFD =with determination of SIL supposing module contributes 10% of total SIF

T[Proof] = 1 year

PFDavg = 3.03 E-05

Valid for SIL 3

See Note 1 in the section Notes

T[Proof] = 3 years

PFDavg = 9.34 E-05

Valid for SIL 3

See Note 1 in the section Notes

T[Proof] = 6 years

PFDavg = 1.90 E-04

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 10 years

PFDavg = 3.41 E-04

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 1 year

PFDavg = 8.09 E-05

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 5 years

PFDavg = 4.65 E-04

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 9 years

PFDavg = 9.40 E-04

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 10 years

PFDavg = 1.10 E-03

See Note 3 and Note 4

in the section Notes

In following table, it’s reported the _System ()

AVG TI x yearsPFD =with determination of SIL supposing module contibutes 20% of total SIF

T[Proof] = 1 year

PFDavg = 3.03 E-05

Valid for SIL 3

See Note 6 in the section Notes

T[Proof] = 3 years

PFDavg = 9.34 E-05

Valid for SIL 3

See Note 6 in the section Notes

T[Proof] = 6 years

PFDavg = 1.90 E-04

Valid for SIL 3

See Note 6 in the section Notes

T[Proof] = 10 years

PFDavg = 3.41 E-04

Valid for SIL 2

See Note 7 in the section Notes

In following table, it’s reported the _System ()

AVG TI x yearsPFD =with determination of SIL supposing module contibutes 20% of total SIF

T[Proof] = 1 years

PFDavg = 8.09 E-05

Valid for SIL 2

See Note 6 in the section Notes

T[Proof] = 10 years

PFDavg = 1.10 E-03

Valid for SIL 2

See Note 6 in the section Notes

PSD1206, PSD1210 Isolated Power Supply, 3 units in parallel

For 3 power supply units in parallel architecture, it’s possible to calculate the system probability to fail for different values by using the following equation:

()

_System ()

AVG DU

TI x years

PFD

βλ

=−⋅ ⋅

≅⋅ ⋅ +

NE Loads

T[Proof] = 1 year

PFDavg = 2.99 E-05

Valid for SIL 3

See Note 1 in the section Notes

T[Proof] = 3 years

PFDavg = 8.96 E-05

Valid for SIL 3

See Note 1 in the section Notes

T[Proof] = 10 years

PFDavg = 2.99 E-04

Valid for SIL 2

See Note 2 in the section Notes

Where β= 5 %; = Dangerous Undetected failure rate of PSD12xx; = Proof Test Interval

In following table, it’s reported the _System()

AVG TI x yearsPFD =, with determination of SIL supposing module contributes 10% of total SIF

Use previous _System ()

AVG TI x yearsPFD =equation and replace

with value 134.80 FIT

12 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

PSD1206, PSD1210 Isolated Power Supply, fail with over voltage condition

One way to calculate the probability that the Power Supply types PSD1206 and PSD1210 fail with an over voltage condition is by using the fault tree as presented in following figure:

Over voltage condition

Power Supply fails

with over voltage

Both crowbars fail

because of common caus

Over voltage protection

fails undetected

Crowbars

fail undetected

≥1

Crowbar 2

fails undetected

Crowbar 1

fails undetected

When using fault trees, the PFD should be calculated for multiple time steps (e.g. each hour) and then averaged over the time period of interest. The probability of the system to fail with

an over voltage condition is calculated as follows for each time step:

PFDAVG_OC_Sys = PFD_OC_PS * PFD_OP * PFD_CB

PFD_CB = PFD_CB1 * PFD_CB2 + β* PFD_CB12

PFD_OC_PS (Tproof = 1 year) = 1.84 E-04

PFD_OP (Tproof = 1 year) = 9.64 E-05

PFD_CB1 (Tproof = 1 year) = PFD_CB2 (Tproof = 1 year) = 2.10 E-04

PFD_CB12 (Tproof = 1 year) = 2.11 E-04

β* PFD_CB12 (Tproof = 1 year) = 0.05 * 2.11 E-04 = 1.05 E-05

PFD_CB (Tproof = 1 year) = 1.06 E-05

PFDAVG_OC_Sys (Tproof = 1 year) = 9.36 E-14

Notes

• Note 1: Considering a SIL 3 application, the total PFDavg value of the SIF must be < 1.00 E-03 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 10% of the entire SIF, the PFDavg value of the module must be ≤1.00 E-04. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 3 application.

• Note 2: Considering a SIL 2 application, the total PFDavg value of the SIF must be < 1.00 E-02 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 10% of the entire SIF, the PFDavg value of the module must be ≤1.00 E-03. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 2 application.

• Note 3: Considering a SIL 2 application, the total PFDavg value of the SIF must be < 1.00 E-02 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 10% of the entire SIF, the PFDavg value of the module must be ≤1.00 E-03. This limit is NOT satisfied from the

calculated PFDavg value, therefore the module is NOT valid for SIL 2 application, but it’s ok for SIL 1.

• Note 4: Considering a SIL 1 application, the total PFDavg value of the SIF must be < 1.00 E-01 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 10% of the entire SIF, the PFDavg value of the module must be ≤1.00 E-02. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 1 application.

• Note 5: Considering a SIL 1 application, the total PFDavg value of the SIF must be < 1.00 E-01 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 10% of the entire SIF, the PFDavg value of the module must be ≤1.00 E-02. This limit is NOT satisfied from the

calculated PFDavg value, therefore the module is NOT valid for SIL 1 application.

• Note 6: Considering a SIL 3 application, the total PFDavg value of the SIF must be < 1.00 E-03 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 20% of the entire SIF, the PFDavg value of the module must be ≤2.00 E-04. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 3 application.

• Note 7: Considering a SIL 2 application, the total PFDavg value of the SIF must be < 1.00 E-02 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 20% of the entire SIF, the PFDavg value of the module must be ≤2.00 E-03. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 2 application.

• Note 8: Considering a SIL 2 application, the total PFDavg value of the SIF must be < 1.00 E-02 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 20% of the entire SIF, the PFDavg value of the module must be ≤2.00 E-03. This limit is NOT satisfied from the

calculated PFDavg value, therefore the module is NOT valid for SIL 2 application, but it’s ok for SIL 1.

• Note 9: Considering a SIL 1 application, the total PFDavg value of the SIF must be < 1.00 E-01 according to table 2 of IEC 61508-1 and table 3.1 of ANSI/ISA-84.01-1996.

However, as the module under consideration contributes for only 20% of the entire SIF, the PFDavg value of the module must be ≤2.00 E-02. This limit is satisfied from the

calculated PFDavg value, therefore the module is valid for SIL 1 application.

• Note 10: It is important to realize that the “No Effect” failures and the “Annunciation Undetected” failures are included in the Safe Undetected failure category according to

IEC 61508. Note that these failures themselves will not affect system reliability or safety, and should not be included in spurious trip calculations.

ND Loads

T[Proof] = 1 year

PFDavg = 7.80 E-05

Valid for SIL 2

See Note 2 in the section Notes

T[Proof] = 10 years

PFDavg = 7.87 E-04

Valid for SIL 2

See Note 2 in the section Notes

In following table, it’s reported the _System()

AVG TI x yearsPFD =, with determination of SIL supposing module contributes 10% of total SIF

Use previous _System ()

AVG TI x yearsPFD =equation and replace

with value 349.80 FIT

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

MODEL PSD1210

++-- -+ L/+N/-

Current

Sharing

Fault

Output 1

Supply

Input 1

24 Vdc

Output Bus

MODEL PSD1210

++-- -+ L/+N/-

Current

Sharing

Fault

Output 2

Supply

Input 2

Connection for current sharing

SIL 3

Draft about connection of 2 units PSD1210 in parallel mode.

Maximum load current

required to the power

supply system

(A)

Number of power supply units

at least required to satisfy

maximum load current

Number of power supply units,

with redundancy required for

normal operation of system

N+1

Number of power supply units,

with redundancy required for

normal operation and during

T-proof periodic test of system

N+2

10 1 2 3

20 2 3 4

30 3 4 5

40 4 5 6

50 5 6 7

For NE load:

a) SIL 2 with T-proof = 1 year;

b) SIL 2 with T-proof = 3 years.

For ND load:

c) SIL 1 with T-proof = 5 years;

d) SIL 1 with T-proof = 10 years.

During T-proof of each power supply

unit, the power supply system can not

sustain the maximum load current

because redundancy (N+1) is absent.

For NE load:

a) SIL 3 with T-proof = 3 years or

SIL 2 with T-proof = 10 years;

b) SIL 3 with T-proof = 6 years or

SIL 2 with T-proof = 10 years.

For ND load:

c) SIL 2 with T-proof = 9 years or

SIL 1 with T-proof = 10 years;

d) SIL 2 with T-proof = 10 years.

During T-proof of each power supply

unit, the power supply system can

sustain the maximum load current but

SIL value changes from SIL 3 to

SIL 2 (for NE load) or from SIL 2 to

SIL 1 (for ND load), because

redundancy (N+2) is absent.

For NE load:

a) SIL 3 with T-proof = 3 years;

b) SIL 3 with T-proof = 6 years.

For ND load:

c) SIL 2 with T-proof = 9 years;

d) SIL 2 with T-proof = 10 years.

During T-proof of each power supply

unit, the power supply system can

sustain the maximum load current

and maintain SIL 3 value (for NE

load) or SIL 2 value (for ND load),

because redundancy (N+2) is

present.

Number of power supply units connected in parallel for different maximum load currents required to the power supply system.

To maintain the power supply system safety integrity level, SIL 2 (ND loads) or SIL 3 (NE loads), also during the T-proof periodic test, in addition two redundant units for each

system are required.

If N is the number of power supply units connected in parallel, for the maximum load current required to the power supply system without redundancy, the total number of modules

must be N+2.

Maintaining SIL level during T-proof test in redundant architecture

14 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

According to section 7.4.3.2.2 f) of IEC 61508-2 proof test shall be undertaken to reveal dangerous faults which are undetected by diagnostic tests. This means that it is necessary

to specify how dangerous undetected fault which have been noted during the FMEDA can be detected during proof testing.

Proof tests should be carried out by qualified service instrumentation technicians. Any failures or faults should be reported to G.M. International.

This procedure specifies the type of test that must be carried on the supply unit at the end of the T-proof period of operation to verify the correct operation of protection circuits in

the supply unit required to restore the Safety Integrity Level required.

The functions to be tested are:

Proof test 1: Current sharing capability.

Proof test 2: Paralleling diode operation .

Proof test 3: Crowbar A operation.

Proof test 4: Crowbar B operation.

Proof test 5: Over voltage protection.

Possible Proof Tests to reveal Dangerous Undetected Faults

Ammeter range 0 to 10 A (0.1 A resolution or better)

300 W variable resistor load, from 2 to 25 Ω, current up to 10 A to test PSD1210

or 150 W variable resistor load, from 4 to 25 Ω, current up to 6 A to test PSD1206

A1, A2, A3

Voltmeter range 30 V, Resolution 1 mV. V1, V2, V3

Calibrator, to set 100 mA current CAL

IdentificationRequired instrumentation

Overvoltage crowbar test Jig TPF1210 (with cables) TPF1210

SW1 = Vout Control

SW2 = Over Voltage Protection

SW3 = Crowbar A

SW4 = Crowbar B

TPF1210

Overvoltage Crowbar

Test Jig

Multi-core cable Jig 5-poles Multi-core cable Jig 6-poles

1918

1 2 3 4

5 6 7 8

Vout Adjust

TPF1210

Diode Test

ON OFF

Multi-core cable Jig 5-poles

Multi-core cable Jig 6-poles

P1 = Potentiometer

PSD1210 (PSD1206)

Side view

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Procedure

Supply both units under test and set the variable load resistor PR so that maximum load is applied to the connected power supplies,

verifying through A1 that load current is 10 A (6 A for PSD1206).

Note that load current A1 will be shared by the two power supplies, therefore A2 and A3 = 5 A

Step

Disconnect “current sharing” connection2

Current sharing:

Connect the two power supplies as shown in the following image:

MODELS

PSD1210

PSD1206

Regulate the second’s power supply voltage (V2) by rotating its “Vout Adjust” trimmer clockwise, until obtaining 24.6 V3

Verify that output current (A3) is at 75% of full load and that output current (A2) is instead at 25%4

Re-connect “current sharing” connection and verify that voltage are approximately the same (V1 ≈V2)5

Verify that output current (A3) is about 60% of full load and that output current (A2) is instead about 40%6

Regulate the second’s power supply voltage (V2) by rotating its “Vout Adjust” trimmer counter-clockwise, until obtaining 24 V7

Turn off both power supplies8

++-- -+

Sharing

current

++-- -+

Sharing

current

Current sharing connection

L/+ N/-

220 Vac

L/+ N/-

220 Vac

COM

PS UNDER TEST SECOND PS

MODELS

PSD1210

PSD1206

16 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

ProcedureStep

Connect the “overvoltage crowbar test jig” (TPF1210) to the PS under test and set TPF1210 with the following configuration:

SW1=OFF, SW2=OFF, SW3=OFF, SW4=OFF and potentiometer P1 completely rotated clockwise

Turn on power supply under test and regulate the load current (A1) until obtaining 10 A (6A for PSD1206)2

Connect voltmeter (V2) to “Out diodes” pins of “overvoltage crowbar test jig” and check that voltage drop is between 0.3V and 0.7V3

Turn on the second PS4

Turn off the PS under test5

Check that voltage (V2) between the diodes is between -22 V and -26 V6

Paralleling diode operation:

Connect the two power supplies as shown in the following image:

Turn off also the second PS and disconnect voltmeter V2 from the “Out diodes” pins of the “overvoltage crowbar test jig”7

MODELS

PSD1210

PSD1206

MODELS

PSD1210

PSD1206

++-- -+

Sharing

current

++-- -+

Sharing

current

Current sharing connection

COM

L/+ N/-

220 Vac

L/+ N/-

220 Vac

4321

OFF

Vout

adjust

Diode test

TPF1210

COM

PS UNDER TEST SECOND PS

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Procedure

With PS switched OFF, set the “overvoltage crowbar test jig” (TPF1210) as follows: SW1=OFF, SW2=ON, SW3=OFF, SW4=ON

Test

Rotate Potentiometer (P1) of the “overvoltage crowbar test jig” clockwise to obtain the maximum resistance (10 KΩ)

Output voltage value (V1) should be greater than 24 V nominal at 80% of full load. Now, after checking this condition,

rotate potentiometer (P1) counter-clockwise slowly to decrease its resistance and observe that the corresponding output voltage

(V1) increases simultaneously while rotating.

At this point “Crowbar A” will trigger the shortcircuit and output voltage (V1) will be < 2 V. Maximum voltage (V1)

obtained just before the crowbar’s trigger point should be between 27.0 V and 29.0 V

Turn off the PS immediately by opening the supply switch (I1) so that the “crowbar” is reset6

Rotate potentiometer (P1) clockwise completely to obtain maximum resistance7

Crowbar A operation:

Connect the power supply as shown in the following image:

MODELS PSD1210 - PSD1206

Turn on the PS by closing switch I13

Sharing

current

L/+

N/-

220 Vac

4321

OFF

Vout

adjust

Diode test

TPF1210

COM

18 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

Procedure

After “Crowbar A test”, continue setting the “overvoltage crowbar test jig” (TPF1210): SW1=OFF, SW2=ON, SW3=ON, SW4=OFF

Step

Turn on the PS by closing switch I12

At this point “Crowbar B” will trigger the shortcircuit and output voltage (V1) will be < 2 V. Maximum voltage (V1)

obtained just before the crowbar’s trigger point should be between 27.0 V and 29.0 V

Turn off the PS immediately by opening the supply switch (I1) so that the “crowbar” is reset5

Crowbar B operation:

Connect the power supply as shown in the following image

Output voltage value (V1) should be greater than 24 V nominal at 80% of full load. Now, after checking this condition,

rotate potentiometer (P1) counter-clockwise slowly to decrease its resistance and observe that the corresponding output voltage

(V1) increases simultaneously while rotating.

MODELS PSD1210 - PSD1206

Rotate potentiometer (P1) clockwise completely to obtain maximum resistance6

Sharing

current

L/+

N/-

220 Vac

4321

OFF

Vout

adjust

Diode test

TPF1210

COM

PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 VdcG.M. International ISM0076-7

Procedure

Set the “overvoltage crowbar test jig” (TPF1210): SW1=ON, SW2=OFF, SW3=ON, SW4=ON

Step

Turn on the PS by closing switch I12

Verify that the output voltage (V1) is between 25.5V and 28V nominal at 80% of full load and without load3

Overvoltage Protection operation:

Connect the power supply as shown in the following image:

MODELS PSD1210 - PSD1206

Turn off the PS4

Sharing

current

L/+

N/-

220 Vac

4321

OFF

Vout

adjust

Diode test

TPF1210

COM

20 PSD1206 - PSD1210 - SIL 3 - SIL 2 Switching Power Supply 24 Vdc G.M. International ISM0076-7

Although a constant failure rate is assumed by the probabilistic estimation method, this only applies provided that the useful lifetime of components is not exceeded. Beyond this useful

lifetime, the result of the probabilistic calculation method is meaningless as the probability of failure significantly increases with time. The useful lifetime is highly dependent on the

component itself and its operating conditions, temperature in particular (for example, electrolyte capacitors can be very sensitive to temperature). This assumption of a constant failure

rate is based on the bathtub curve, which shows the typical behavior for electronic components. Therefore it is obvious that PFDavg calculation is only valid for components that have this

constant domain and that the validity of the calculation is limited to the useful lifetime of each component. It is assumed that early failures are detected to a huge percentage during the

installation period and therefore the assumption of a constant failure rate during the useful lifetime is valid. However, according to section 7.4.7.4 of IEC 61508-2, a useful lifetime, based

on experience, should be assumed. According to section 7.4.7.4 note 3 of the IEC 61508-2 experience has shown that the useful lifetime often lies within a range of about 10-15 years.

Impact of lifetime of critical components on Failure Rate

The equation of PFDavg, applicable when the component or sub-system is new and when λdu are 99 % known by proof test is:

When these tests do not detect at least 99 % of λdu the same equation changes to:

where: Et is the effectiveness of proof test (0-100 %), SL can be intended as:

1) Time between two proof tests with 99-100 % effectiveness;

2) Time between two replacements;

3) Component Life time if no substitution and no proof test is meant to be done.

For TI = 1 year the equation becomes:

Example 1:

λdu = 0.01 / yr ; TI = 1 yr ; SL = 12 yrs ; Et = 90 % = 0.9 ; PFDavg = 0.0002 / yr

At installation: PFDavg = 0.01 / 2 = 0.005 / yr ; RRF = 1 / PFDavg = 1 / 0.005 = 200 (Suitable for SIL 2)

After 1 yr: PFDavg = (0.9 x 0.01/2) + (0.1 x 0.01 x 6) = 0.0105 ; RRF = 95 (Suitable for SIL 1)

Example 2:

λdu = 0.01 / yr ; TI = 1 yr ; SL = 12 yrs ; Et = 99 % = 0.99 ; PFDavg = 0.0002 / yr

At installation: PFDavg = 0.01 / 2 = 0.005 / yr ; RRF = 1 / PFDavg = 1 / 0.005 = 200 (Suitable for SIL 2)

After 1 yr: PFDavg = (0.99 x 0.01/2) + (0.01 x 0.01 x 6) = 0.0056 ; RRF = 178 (Suitable for SIL 2)

duPFDavg ×=

)1()

(SL

duEt

duEtPFDavg ××−+××=

λλ

()

du SL

PFDavg Et Et du

λλ

⎛⎞

⎜⎟

⎝⎠

=× +−× ×

Influence of PFDavg calculation on efficiency of Proof Test for a 1oo1 architecture.

MODELS PSD1206 - PSD1210

++- - -+ L/+N/-

Current

Sharing

Fault

Output 1

Supply

Input 1

48 Vdc

Output Bus

MODELS PSD1206 - PSD1210

++- - -+ L/+N/-

Current

Sharing

Fault

Output 2

Supply

Input 2

SIL 3

48 Vdc Output with connection in series of power supplies

To obtain higher output voltage of 48 V, it is possible to connect two modules in series as shown below. Output voltage can be furtherly increased by connecting more units in series.