Gmi D5095s User guide

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND Load G.M. International ISM0307-1

5 A SIL 3 NC contact Relay Output Module

for NE or F&G/ND Load,

DIN-Rail and Termination Board, Model D5095S

D5095S

SAFETY MANUAL

Reference must be made to the relevant sections within the instruction manual ISM0300,

which contain basic guides for the installation of the equipment.

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND Load G.M. International ISM0307-1

Functional Safety Manual and Applications

Description:

Input Signal from PLC/DCS is normally Low (0 Vdc) and is applied to pins 1-2 in order to Normally De-energize (ND) the internal relays.

Input Signal from PLC/DCS is High (24 Vdc) during “energized to trip” operation, in order to energize the internal relays.

The Load is Normally Energized (NE), therefore its safe state is to be de-energized.

The Service load (for NE Load) is normally de-energized, while in safe state it is energized.

Disconnection of the NE Load is done on both supply lines.

The following table describes the status (open or closed) of each output contact when the input signal is High or Low.

Safety Function and Failure behavior:

D5095S is considered a Type A module, having Hardware Fault Tolerance (HFT) = 0.

In the 1st Functional Safety application, the normal state operation of relay module is de-energized, with NE (Normally Energized) load.

In case of alarm or request from process, the relay module is energized (safe state), de-energizing the load.

The failure behaviour of the relay module is described by the following definitions:

□fail-Safe State: it is defined as the output load being de-energized;

□fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;

□fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),

so that the output load remains energized.

□fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;

When calculating the SFF this failure mode is not taken into account.

□fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;

When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

Failure rate table:

Failure rates table according to IEC 61508:2010 Ed.2:

When D5095S drives NE Load and operates in Low Demand mode:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes > 10% of total SIF dangerous failures:

When D5095S drives NE Load and operates in High Demand mode: PFH = λdu = 3.10 E-09 h-1 - Valid for SIL 3.

SC 3: Systematic capability SIL 3.

Operation Input Signal

Pins 1-2

Out 1

Pins 7 - 11

Out 2

Pins 8 - 12

NE Load (SIL3)

Pins 11 - 12

Normal Low (0 Vdc) Closed Closed Energized

Trip High (24 Vdc) Open Open De-Energized

Pins

9 - 10

Open

Closed

Service Load (Not SIL)

Pin 10 to -/AC

De-Energized

Energized

Failure category Failure rates (FIT)

λdd = Total Dangerous Detected failures 0.00

λdu = Total Dangerous Undetected failures 3.10

λsd = Total Safe Detected failures 0.00

λsu = Total Safe Undetected failures 148.20

λtot safe = Total Failure Rate (Safety Function) = λdd + λdu + λsd + λsu 151.30

MTBF (safety function, single channel) = (1 / λtot safe) + MTTR (8 hours) 754 years

λno effect = “No effect” failures 300.70

λnot part = “Not Part” failures 20.20

λtot device = Total Failure Rate (Device) = λtot safe + λno effect + λnot part 472.20

MTBF (device) = (1 / λtot device) + MTTR (8 hours) 241 years

λsd λsu λdd λdu SFF

0.00 FIT 148.20 FIT 0.00 FIT 3.10 FIT 97.95%

T[Proof] = 7 years

PFDavg = 9.52 E-05 - Valid for SIL 3

T[Proof] = 1 year

PFDavg = 1.36 E-05 - Valid for SIL 3

T[Proof] = 20 years

PFDavg = 2.72 E-04 - Valid for SIL 3

1) Application for D5095S - SIL 3 for NE Load with bipolar load interruption

Normal state operation Energized to trip operation

- / AC

+ / AC

PLC

Output OFF

0 Vdc

- / AC

+ / AC

PLC

Output ON

24 Vdc

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

10 10

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND LoadG.M. International ISM0307-1 3

Functional Safety Manual and Applications

Description:

Input Signal from PLC/DCS is normally High (24 Vdc) and is applied to pins 1-2 in order to Normally Energize (NE) the internal relays.

Input Signal from PLC/DCS is Low (0 Vdc) during “de-energized to trip” operation, in order to de-energize the internal relays.

The Load is Normally De-energized (ND), therefore its safe state is to be energized.

The Service load (for ND Load) is normally energized, while in safe state it is de-energized.

Disconnection of the ND Load is done on both supply lines.

The following table describes the status (open or closed) of each output contact when the input signal is High or Low.

Safety Function and Failure behavior:

D5095S is considered a Type A module, having Hardware Fault Tolerance (HFT) = 0.

In the 2nd Functional Safety application, the normal state operation of relay module is energized, with ND (Normally De-energized) load.

In case of alarm or request from process, the relay module is de-energized (safe state), energizing the load.

The failure behaviour of the relay module is described by the following definitions:

□fail-Safe State: it is defined as the output load being energized;

□fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;

□fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),

so that the output load remains de-energized.

□fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;

When calculating the SFF this failure mode is not taken into account.

□fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;

When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

Failure rate table:

Failure rates table according to IEC 61508:2010 Ed.2:

When D5095S drives F&G/ND Load and operates in Low Demand mode:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes > 10% of total SIF dangerous failures:

When D5095S drives F&G/ND Load and operates in High Demand mode: PFH = λdu = 1.96 E-09 h-1 - Valid for SIL 3.

SC 3: Systematic capability SIL 3.

Operation Input Signal

Pins 1-2

Out 1

Pins 7 - 11

Out 2

Pins 8 - 12

F&G/ND Load (SIL3)

Pins 11 - 12

Normal High (24 Vdc) Open Open De-energized

Trip Low (0 Vdc) Closed Closed Energized

Pins

9 - 10

Closed

Open

Service Load (Not SIL)

Pin 10 to -/AC

Energized

De-energized

Failure category Failure rates (FIT)

λdd = Total Dangerous Detected failures 0.00

λdu = Total Dangerous Undetected failures 1.96

λsd = Total Safe Detected failures 0.00

λsu = Total Safe Undetected failures 238.84

λtot safe = Total Failure Rate (Safety Function) = λdd + λdu + λsd + λsu 240.80

MTBF (safety function, single channel) = (1 / λtot safe) + MTTR (8 hours) 474 years

λno effect = “No effect” failures 210.80

λnot part = “Not Part” failures 20.60

λtot device = Total Failure Rate (Device) = λtot safe + λno effect + λnot part 472.20

MTBF (device) = (1 / λtot device) + MTTR (8 hours) 241 years

λsd λsu λdd λdu SFF

0.00 FIT 238.84 FIT 0.00 FIT 1.96 FIT 99.19%

T[Proof] = 1 year

PFDavg = 8.60 E-06 - Valid for SIL 3

T[Proof] = 11 years

PFDavg = 9.46 E-05 - Valid for SIL 3

T[Proof] = 20 years

PFDavg = 1.72 E-04 - Valid for SIL 3

2) Application for D5095S - SIL 3 for F&G/ND Load with bipolar load interruption

Normal state operation De-energized to trip operation

- / AC

+ / AC

PLC

Output ON

24 Vdc

- / AC

+ / AC

PLC

Output OFF

0 Vdc

F&G/ND

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

F&G/ND

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND Load G.M. International ISM0307-1

Functional Safety Manual and Applications

Description:

Input Signal from PLC/DCS is normally Low (0 Vdc) and is applied to pins 1-2 in order to Normally De-energize (ND) the internal relays.

Input Signal from PLC/DCS is High (24 Vdc) during “energized to trip” operation, in order to energize the internal relays.

The Load is Normally Energized (NE), therefore its safe state is to be de-energized.

The Service load (for NE Load) is normally de-energized, while in safe state it is energized.

Disconnection of the NE Load is done on only one supply line.

The following table describes the status (open or closed) of each output contact when the input signal is High or Low.

Safety Function and Failure behavior:

D5095S is considered a Type A module, having Hardware Fault Tolerance (HFT) = 0.

In the 3rd Functional Safety application, the normal state operation of relay module is de-energized, with NE (Normally Energized) load.

In case of alarm or request from process, the relay module is energized (safe state), de-energizing the load.

The failure behaviour of the relay module is described by the following definitions:

□fail-Safe State: it is defined as the output load being de-energized;

□fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;

□fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),

so that the output load remains energized.

□fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;

When calculating the SFF this failure mode is not taken into account.

□fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;

When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

Failure rate table:

Failure rates table according to IEC 61508:2010 Ed.2:

When D5095S drives NE Load and operates in Low Demand mode:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes > 10% of total SIF dangerous failures:

When D5095S drives NE Load and operates in High Demand mode: PFH = λdu = 3.10 E-09 h-1 - Valid for SIL 3.

SC 3: Systematic capability SIL 3.

Operation Input Signal

Pins 1-2

Out 1

Pins 7 - 11

Out 2

Pins 8 - 12

NE Load (SIL3)

Pin 8 to to -/AC

Normal Low (0 Vdc) Closed Closed Energized

Trip High (24 Vdc) Open Open De-Energized

Pins

9 - 10

Open

Closed

Service Load (Not SIL)

Pin 10 to -/AC

De-Energized

Energized

Failure category Failure rates (FIT)

λdd = Total Dangerous Detected failures 0.00

λdu = Total Dangerous Undetected failures 3.10

λsd = Total Safe Detected failures 0.00

λsu = Total Safe Undetected failures 148.20

λtot safe = Total Failure Rate (Safety Function) = λdd + λdu + λsd + λsu 151.30

MTBF (safety function, single channel) = (1 / λtot safe) + MTTR (8 hours) 754 years

λno effect = “No effect” failures 300.70

λnot part = “Not Part” failures 20.20

λtot device = Total Failure Rate (Device) = λtot safe + λno effect + λnot part 472.20

MTBF (device) = (1 / λtot device) + MTTR (8 hours) 241 years

λsd λsu λdd λdu SFF

0.00 FIT 148.20 FIT 0.00 FIT 3.10 FIT 97.95%

T[Proof] = 7 years

PFDavg = 9.52 E-05 - Valid for SIL 3

T[Proof] = 1 year

PFDavg = 1.36 E-05 - Valid for SIL 3

T[Proof] = 20 years

PFDavg = 2.72 E-04 - Valid for SIL 3

3) Application for D5095S - SIL 3 for NE Load with unipolar load interruption

Normal state operation Energized to trip operation

- / AC

+ / AC

PLC

Output OFF

0 Vdc

- / AC

+ / AC

PLC

Output ON

24 Vdc

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

10 10

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND LoadG.M. International ISM0307-1 5

Functional Safety Manual and Applications

Description:

Input Signal from PLC/DCS is normally High (24 Vdc) and is applied to pins 1-2 in order to Normally Energize (NE) the internal relays.

Input Signal from PLC/DCS is Low (0 Vdc) during “de-energized to trip” operation, in order to de-energize the internal relays.

The Load is Normally De-energized (ND), therefore its safe state is to be energized.

The Service load (for ND Load) is normally energized, while in safe state it is de-energized.

Disconnection of the ND Load is done on only one supply line.

The following table describes the status (open or closed) of each output contact when the input signal is High or Low.

Safety Function and Failure behavior:

D5095S is considered a Type A module, having Hardware Fault Tolerance (HFT) = 0.

In the 4th Functional Safety application, the normal state operation of relay module is energized, with ND (Normally De-energized) load.

In case of alarm or request from process, the relay module is de-energized (safe state), energizing the load.

The failure behaviour of the relay module is described by the following definitions:

□fail-Safe State: it is defined as the output load being energized;

□fail Safe: this failure causes the system to go to the defined fail-safe state without a process demand;

□fail Dangerous: failure mode that does not respond to a demand from the process (i.e. being unable to go to the defined fail-safe state),

so that the output load remains de-energized.

□fail “No effect”: failure mode of a component that plays a part in implementing the safety function but is neither a safe failure nor a dangerous failure;

When calculating the SFF this failure mode is not taken into account.

□fail “Not part”: failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness;

When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

Failure rate table:

Failure rates table according to IEC 61508:2010 Ed.2:

When D5095S drives F&G/ND Load and operates in Low Demand mode:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes > 10% of total SIF dangerous failures:

When D5095S drives F&G/ND Load and operates in High Demand mode: PFH = λdu = 1.96 E-09 h-1 - Valid for SIL 3.

SC 3: Systematic capability SIL 3.

Operation Input Signal

Pins 1-2

Out 1

Pins 7 - 11

Out 2

Pins 8 - 12

F&G/ND Load (SIL3)

Pin 8 to -/AC

Normal High (24 Vdc) Open Open De-energized

Trip Low (0 Vdc) Closed Closed Energized

Pins

9 - 10

Closed

Open

Service Load (Not SIL)

Pin 10 to -/AC

Energized

De-energized

Failure category Failure rates (FIT)

λdd = Total Dangerous Detected failures 0.00

λdu = Total Dangerous Undetected failures 1.96

λsd = Total Safe Detected failures 0.00

λsu = Total Safe Undetected failures 238.84

λtot safe = Total Failure Rate (Safety Function) = λdd + λdu + λsd + λsu 240.80

MTBF (safety function, single channel) = (1 / λtot safe) + MTTR (8 hours) 474 years

λno effect = “No effect” failures 210.80

λnot part = “Not Part” failures 20.60

λtot device = Total Failure Rate (Device) = λtot safe + λno effect + λnot part 472.20

MTBF (device) = (1 / λtot device) + MTTR (8 hours) 241 years

λsd λsu λdd λdu SFF

0.00 FIT 238.84 FIT 0.00 FIT 1.96 FIT 99.19%

T[Proof] = 1 year

PFDavg = 8.60 E-06 - Valid for SIL 3

T[Proof] = 11 years

PFDavg = 9.46 E-05 - Valid for SIL 3

T[Proof] = 20 years

PFDavg = 1.72 E-04 - Valid for SIL 3

4) Application for D5095S - SIL 3 for F&G/ND Load with unipolar load interruption

Normal state operation De-energized to trip operation

- / AC

+ / AC

PLC

Output ON

24 Vdc

- / AC

+ / AC

PLC

Output OFF

0 Vdc

F&G/ND

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

F&G/ND

Load

SIL 3

7-9

Out 1

Out 2

Service

Load

(Not SIL)

D5095S - 5 A SIL 3 NC contact Relay Out Module for NE or F&G/ND Load G.M. International ISM0307-1

Configuration

For configuration of T-proof relays testing, some DIP Switches are located on component side of pcb. These switches allow the T-proof relays test (SW1 dip-switch: 1-2-3-4 set “ON” and

see “Testing procedure at T-proof” section for more information).

WARNING: after T-proof test, dip-switch 1-2-3-4 must be set

to “OFF” position for normal operation.

SW1 Dip switch configuration

1234

T-proof relays enable

123

Normal Operation

ON ON

OFF

OFFOFF

T-proof relays (dip1 = relay1;

dip2 = relay2; dip3 = relay3;

dip4 = relay4)

OFF

This is factory settings

The proof test shall be performed to reveal dangerous faults which are undetected by diagnostic. This means that it is necessary to specify how dangerous undetected faults, which

have been noted during the FMEDA, can be revealed during proof test.

Before of Specific Proof Test, execute the following General Proof Test: connect the load supply lines to terminal blocks “7” (for +/AC) and “8” ( for -/AC) and the NE of F&G / ND load to

terminal blocks “11” (as the positive terminal) and “12” (as the negative terminal); finally, connect the DCS/PLC signal to input channel terminal blocks “1” (as the positive terminal) and

“2” (as the negative terminal). Then, verify the input to output functionality: the output NE load is normally energized by shutdown the input channel, while supplying of the input channel

de-energizes (safe state) the load; on the other hand, the output F&G / ND load is normally de-energized by energizing of the input channel, while shutdown of the input channel

energizes (safe state) the load. The channel functionality must be verified for a minimum to maximum input voltage change (from 21.6 to 27.6 Vdc) .

Then, disconnect the load supply lines from terminal blocks “7” - “8” and the output load from terminal blocks “11” - “12”. Then, connect an ohmmeter (Ohm. A) between terminal blocks

“7” - “11” and another one (Ohm. B) between terminal blocks “8” - “12”. In addition, the use of four relays for a single channel requires to control each relay coil by means of the internal

SW1 dip-switches (no. 1, 2, 3, 4) and to check the ohmic continuity of the contacts, as described in the following Specific Proof Test.

The Specific Proof Test consists of the following steps:

Testing procedure at T-proof

Steps Action

1Bypass the safety-related PLC or take any other appropriate action to avoid a false trip when removing the unit for test.

21. Do not supply the input channel (terminals “1” - “2”) of the unit under test and verify that ohmmeters Ohm. A and Ohm. B measure presence of ohmic

continuity (so that both +/AC and -/AC load lines are not interrupted because the NC contacts are closed: the 1st requisite is verified). For both ohmmeters,

Ohm. A or Ohm. B, these measures could also be true if only one of the two relay contacts in parallel is closed and the other one is blocked (for welding) in

the closed position (this can be verified by testing the channel when input is supplied, as described in point 2 of this procedure) or in the open position (this

can be verified by testing the channel when the input is supplied, as described in point 3 of this procedure). On the other hand, the absence of ohmic

continuity measured by ohmmeter Ohm. A or Ohm. B implies that two relay contacts are blocked (for welding) in the open position.

2. Supply the input channel (terminals “1” - “2”) of the unit under test and verify that ohmmeters Ohm. A and Ohm. B measure absence of ohmic continuity

(so that both +/AC and -/AC load lines are interrupted because all NC contacts are open: the 2nd requisite is verified). The presence of ohmic continuity

measured by ohmmeter Ohm. A or Ohm. B implies that at least one relay contact is blocked (for welding) in the closed position: this can be verified only by

disassembling and individually testing each relay.

3. Always supply the input channel (terminals “1” - “2”) of the unit under test in order to verify if a single relay contact is blocked (for welding) in the open

position. Considering the measure of ohmmeter Ohm. A, set ON the internal SW1 dip-switches (no. 1 or 2) to put in short circuit one relay coil at a time

(starting with the 1st coil by dip-switch no. 1, then going on with the 2nd coil by dip-switch no. 2), verifying that ohmic continuity is always present between

terminals “7” - “11”. Considering the measures of ohmmeter Ohm. B, set ON the internal SW1 dip-switches (no. 3 or 4) to put in short circuit one relay coil at

a time (starting with the 3rd coil by DIP-switch no. 3, then going on with the 4th coil by dip-switch no. 4), verifying that ohmic continuity is always present

between terminals “8” - “12”. In these situations, the absence of ohmic continuity implies that a relay contact (the one with the de-energized coil being