Pepperl+Fuchs SIL M-LB-4000-System User manual
ISO9001
3
Functional Safety
M-LB-(Ex-)4000-System –
Surge Protection Barriers
Manual
With regard to the supply of products, the current issue of the following document is applicable:
The General Terms of Delivery for Products and Services of the Electrical Industry, published by the Central
Association of the Electrical Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most
recent version as well as the supplementary clause: "Expanded reservation of proprietorship"
Worldwide
Pepperl+Fuchs Group
Lilienthalstr. 200
68307 Mannheim
Germany
Phone: +49 621 776 - 0
E-mail: info@de.pepperl-fuchs.com
North American Headquarters
Pepperl+Fuchs Inc.
1600 Enterprise Parkway
Twinsburg, Ohio 44087
USA
Phone: +1 330 425-3555
E-mail: [email protected].com
Asia Headquarters
Pepperl+Fuchs Pte. Ltd.
P+F Building
18 Ayer Rajah Crescent
Singapore 139942
Phone: +65 6779-9091
E-mail: [email protected]
https://www.pepperl-fuchs.com
Functional Safety M-LB-(Ex-)4000-System
Contents
2023-03
3
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Content of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 Standards and Directives for Functional Safety . . . . . . . . . . . . . . . . . . . 9
3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1 System Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Mounting and Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.1 Mounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1 Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2023-03
4
Functional Safety M-LB-(Ex-)4000-System
Contents
Functional Safety M-LB-(Ex-)4000-System
Introduction
2023-03
5
1 Introduction
1.1 Content of this Document
This document contains information for usage of the device in functional safety-related
applications. You need this information to use your product throughout the applicable stages
of the product life cycle. These can include the following:
•Product identification
•Delivery, transport, and storage
•Mounting and installation
•Commissioning and operation
•Maintenance and repair
•Troubleshooting
•Dismounting
•Disposal
The documentation consists of the following parts:
•Present document
•Instruction manual
•Manual
•Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
•EU-type examination certificate
•EU declaration of conformity
•Attestation of conformity
•Certificates
•Control drawings
•FMEDA report
•Assessment report
•Additional documents
For more information about Pepperl+Fuchs products with functional safety,
see www.pepperl-fuchs.com/sil.
Note
This document does not substitute the instruction manual.
Note
For full information on the product, refer to the instruction manual and further documentation
on the Internet at www.pepperl-fuchs.com.
Note
For specific device information such as the year of construction, scan the QR code
on the device. As an alternative, enter the serial number in the serial number search
at www.pepperl-fuchs.com.
2023-03
6
Functional Safety M-LB-(Ex-)4000-System
Introduction
1.2 Safety Information
Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance,
and dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel
must have read and understood the instruction manual and the further documentation.
Intended Use
The device is only approved for appropriate and intended use. Ignoring these instructions
will void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant safety standards.
Use the device only
•for the application described
•with specified environmental conditions
•with devices that are suitable for this safety application
Improper Use
Protection of the personnel and the plant is not ensured if the device is not used according
to its intended use.
Functional Safety M-LB-(Ex-)4000-System
Introduction
2023-03
7
1.3 Symbols Used
This document contains symbols for the identification of warning messages and
of informative messages.
Warning Messages
You will find warning messages, whenever dangers may arise from your actions.
It is mandatory that you observe these warning messages for your personal safety and in order
to avoid property damage.
Depending on the risk level, the warning messages are displayed in descending order
as follows:
Informative Symbols
Action
This symbol indicates a paragraph with instructions. You are prompted to perform an action
or a sequence of actions.
Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.
Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.
Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and plants,
or result in their complete failure.
Note
This symbol brings important information to your attention.
2023-03
8
Functional Safety M-LB-(Ex-)4000-System
Product Description
2 Product Description
2.1 Function
This manual describes solely the safety function and safe state of the surge protection barrier
as part of the surge protection system.
Surge Protection Barrier M-LB-42**(.M)
The device limits induced transients of different causes, e. g. lightning or switching operations.
The limitation is achieved by diverting the current to earth and limiting the signal loop voltage
during the duration of the overvoltage pulse.
The device consists of base module and protection module.The protection module
can be replaced without tools.
The device has a status indication at the front.
The device is mounted on a 35 mm DIN mounting rail according to EN 60715.
The DIN mounting rail is used to attach the device in the switch cabinet and is responsible
for grounding the surge protection barriers. The DIN rail mounting ensures a grounding
connection with the lowest possible resistance of the device.
Surge Protection Barrier M-LB-Ex-42**(.M)
The device limits induced transients of different causes, e. g. lightning or switching operations.
The limitation is achieved by diverting the current to earth and limiting the signal loop voltage
during the duration of the overvoltage pulse.
The device is used for intrinsic safety applications.
The device consists of base module and protection module.The protection module
can be replaced without tools.
The device has a status indication at the front.
The device is mounted on a 35 mm DIN mounting rail according to EN 60715.
The DIN mounting rail is used to attach the device in the switch cabinet and is responsible
for grounding the surge protection barriers. The DIN rail mounting ensures a grounding
connection with the lowest possible resistance of the device.
Danger!
Danger to life from wrong usage of the device
The protection of the safety loop against overvoltage is not the safety function of the surge
protection barrier.
The surge protection barrier protects applications and equipment against voltage surges
caused by lightning or switching operations.
The statement concerning the safety function of the surge protection barrier solely describes
the effect on safety loops in which the barrier is installed. The barrier acts in the safety loops
as a simple pass through element.
Functional Safety M-LB-(Ex-)4000-System
Product Description
2023-03
9
2.2 Interfaces
The device has the following interfaces.
•Safety relevant interfaces: protected signal lines
•Non-safety relevant interfaces: status indication
2.3 Marking
The *-marked letters of the type code are placeholders for versions of the device.
2.4 Standards and Directives for Functional Safety
Device specific standards and directives
System-specific standards and directives
Note
For corresponding connections see datasheet.
Pepperl+Fuchs Group
Lilienthalstraße 200, 68307 Mannheim, Germany
Internet: www.pepperl-fuchs.com
Surge protection barriers M-LB-42**(.M), M-LB-Ex-42**(.M) Up to SIL 3
Functional safety IEC/EN 61508, part 1 –7, edition 2010:
Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)
Functional safety IEC 61511-1:2016+COR1:2016+A1:2017
EN 61511-1:2017+A1:2017
Functional safety –Safety instrumented systems for the process
industry sector (user)
2023-03
10
Functional Safety M-LB-(Ex-)4000-System
Planning
3 Planning
3.1 System Structure
3.1.1 Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for the functional
safety, then usually the demand rate for the safety loop is assumed to be less
than once per year.
The relevant safety parameters to be verified are:
•the PFDavg value (average Probability of dangerous Failure on Demand)
and the T1value (proof test interval that has a direct impact on the PFDavg value)
•the SFF value (Safe Failure Fraction)
•the HFT architecture (Hardware Fault Tolerance)
3.1.2 High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher
than once per year.
The relevant safety parameters to be verified are:
•the PFH value (Probability of dangerous Failure per Hour)
•Fault reaction time of the safety system
•the SFF value (Safe Failure Fraction)
•the HFT architecture (Hardware Fault Tolerance)
3.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (s + dd) / (s + dd + du)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but
is not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction
of the elements and subsystems, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
Functional Safety M-LB-(Ex-)4000-System
Planning
2023-03
11
3.2 Assumptions
The following assumptions have been made during the FMEDA:
•The device will be used under average industrial ambient conditions comparable
to the classification stationary mounted according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar
to IEC/EN 60654-1 Class C with an average temperature over a long period of time of 40 ºC
may be assumed. For a higher average temperature of 60 ºC, the failure rates must
be multiplied by a factor of 2.5 based on experience. A similar factor must be used
if frequent temperature fluctuations are expected.
•External power supply failure rates are not included.
•Propagation of failures is not relevant.
•Failure rates are constant, wear is not considered.
•The control loop has a hardware fault tolerance of 0 and it is a type A device.
A SFF value for this device is not given, since this value has to be calculated in conjunction
with the connected field device, as described in the following section.
Application
The surge protection barrier and the connected device (field device, isolator or actuator) have
to be considered in combination. The PFDavg/PFH budget of the device categories in the entire
safety loop is:
•Actuator (valve) 40 %
•Transmitter (sensor) 25 %
•Isolator 10 %
As an overview for the SIL2 or SIL3 safety loop this means:
Device category SIL 2 SIL 3
PFH PFDavg PFH PFDavg
Total 10-6 10-2 10-7 10-3
Actuator (40 %) 4 x 10-7 4 x 10-3 4 x 10-8 4 x 10-4
Transmitter (25 %) 2.5 x 10-7 2.5 x 10-3 2.5 x 10-8 2.5 x 10-4
Isolator (10 %) 10-7 10-3 10-8 10-4
Table 3.1 Overview PFDavg/PFH budget
2023-03
12
Functional Safety M-LB-(Ex-)4000-System
Planning
3.3 Safety Function and Safe State
The safety function of the surge protection barriers depends on the signal loop to which
it is attached. The interference on safety relevant signals (e. g. 4 mA to 20 mA analog signal)
that pass through the devices was evaluated.
Observe the PFH/PFDavg values in the functional safety manual and the specified calculation
rules. The devices fulfil the requirements for SIL 3 and can be used to pass safety relevant
signals through in applications up to SIL 3.
The surge protection barriers limit induced transients of different causes, e. g. lightning
or switching operations. This protection function itself is not the safety function of the device.
Safe State
The safe state depends on the application. There are 6 different applications:
•Digital input (NAMUR signal)
Lead breakage and short circuit are out of range and counted as safe failures.
•Digital output (de-energized to safe – DTS)
Lead breakage and short circuit interrupt the energy transfer to the field and are counted
as safe failures.
•Analog input (4 mA to 20 mA)
Lead breakage and short circuit are out of range and counted as safe failures.
•Analog output (4 mA to 20 mA)
Lead breakage and short circuit interrupt the energy transfer to the field and are counted
as safe failures.
•Resistance thermometer (RTD)
Measurement current = 200 µA (i. e. KFD2-UT2-1)
- R 3137 (Pt1000 at 600 °C)
- R 60 (Pt100 at -100 °C)
Wire resistance = 35 (1000 m total and 0.5 mm2 Cu)
Lead breakage and short circuit are out of range and counted as safe failures.
•Thermocouple (TC)
- U 80 mV (type E at 1000 K)
- U -10 mV (type E at -270 K)
Lead breakage and short circuit lead to plausible temperature readings and were rated
dangerous undetected. Special values apply, . If you are using a signal converter with line
fault detection, the values for standard 2-wire applications apply.
For the evaluation, all deviations from the input signal were rated as dangerous undetected,
if the deviations are
•greater than the specified leakage current or
•greater than the 1 line resistance.
The user must observe the valid range for the signals in the application and react accordingly
if this range is left.
The values given in the following table are calculated for 2-wire applications as field devices
are usually connected by more than one wire. For the calculation, add the numbers from
the respective column to the numbers given for the safety loop. They are already summarized
for the respective application.
Functional Safety M-LB-(Ex-)4000-System
Planning
2023-03
13
Safety Function
The safety function of the surge protection barrier is to behave like a piece of copper wire,
passing through the process signal without being altered.
Reaction Time
The reaction time is < 1 ms.
Note
The fault indication output is not safety relevant.
Note
See corresponding datasheets for further information.
2023-03
14
Functional Safety M-LB-(Ex-)4000-System
Planning
3.4 Characteristic Safety Values
M-LB-4224, M-LB-4244, M-LB-4254
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 3 FIT 3 FIT
dd 0 FIT 7 FIT
du 10 FIT 3 FIT
no effect 37 FIT 37 FIT
no part 1 FIT 1 FIT
total (safety function) 13 FIT 13 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
2269 years 2269 years
Table 3.2
Functional Safety M-LB-(Ex-)4000-System
Planning
2023-03
15
M-LB-4222, M-LB-4242, M-LB-4252
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 3 FIT 3 FIT
dd 0 FIT 2 FIT
du 10 FIT 8 FIT
no effect 37 FIT 37 FIT
no part 1 FIT 1 FIT
total (safety function) 13 FIT 13 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
2269 years 2269 years
Table 3.3
2023-03
16
Functional Safety M-LB-(Ex-)4000-System
Planning
M-LB-4212
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 3 FIT 3 FIT
dd 0 FIT 13 FIT
du 16 FIT 3 FIT
no effect 44 FIT 44 FIT
no part 1 FIT 1 FIT
total (safety function) 19 FIT 19 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
1803 years 1803 years
Table 3.4
Functional Safety M-LB-(Ex-)4000-System
Planning
2023-03
17
M-LB-4214
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 3 FIT 3 FIT
dd 0 FIT 17 FIT
du 20 FIT 3 FIT
no effect 48 FIT 48 FIT
no part 1 FIT 2 FIT
total (safety function) 23 FIT 23 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
1601 years 1601 years
Table 3.5
2023-03
18
Functional Safety M-LB-(Ex-)4000-System
Planning
M-LB-Ex-4242
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 3 FIT 3 FIT
dd 0 FIT 6 FIT
du 10 FIT 4 FIT
no effect 54 FIT 54 FIT
no part 1 FIT 1 FIT
total (safety function) 13 FIT 13 FIT
MTBF 5
5nach SN29500. Dieser Wert enthält Ausfälle, die nicht Teil der Sicherheitsfunktion sind/MTTR = 24 h.
1696 years 1696 years
Table 3.6
Functional Safety M-LB-(Ex-)4000-System
Planning
2023-03
19
M-LB-4272
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 2 FIT 2 FIT
dd 0 FIT 2 FIT
du 4 FIT 2 FIT
no effect 36 FIT 36 FIT
no part 1 FIT 1 FIT
total (safety function) 6 FIT 6 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
2686 years 2686 years
Table 3.7
2023-03
20
Functional Safety M-LB-(Ex-)4000-System
Planning
M-LB-4282
The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken
from the FMEDA report. Observe that PFD and T1 are related to each other.
The function of the devices has to be checked within the proof test interval (T1).
Parameters Characteristic values
Assessment type Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function 1
1The safe state of the surge protection barrier depend on the application.
Pass through the signal
SIL 2
2The maximum safety integrity level of the safety loop in which the device might be used depends on the
performance values of the whole safety loop or the elements of the safety loop. See application examples section.
3
Analysis Analysis 1 3
3Analysis 1 represents a worst case analysis.
Analysis 2 4
4Analysis 2 represents an analysis with the assumption that lead short circuits and short circuits to ground
are detectable or do not have an effect.
sd 0 FIT 0 FIT
su 2 FIT 2 FIT
dd 0 FIT 4 FIT
du 6 FIT 2 FIT
no effect 42 FIT 42 FIT
no part 1 FIT 1 FIT
total (safety function) 8 FIT 8 FIT
MTBF 5
5acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 24 h.
2261 years 2261 years
Table 3.8
This manual suits for next models
4
Table of contents
Other Pepperl+Fuchs Protection Device manuals
