Pepperl+Fuchs KFD2-RSH-1.2E.L2 User manual
ISO9001
3
Functional Safety
Relay Module
KFD2-RSH-1.2E.L2(-Y1),
KFD2-RSH-1.2E.L3(-Y1)
Manual
With regard to the supply of products, the current issue of the following document is applicable:
The General Terms of Delivery for Products and Services of the Electrical Industry, published by the Central
Association of the Electrical Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most
recent version as well as the supplementary clause: "Expanded reservation of proprietorship"
Worldwide
Pepperl+Fuchs Group
Lilienthalstr. 200
68307 Mannheim
Germany
Phone: +49 621 776 - 0
E-mail: info@de.pepperl-fuchs.com
North American Headquarters
Pepperl+Fuchs Inc.
1600 Enterprise Parkway
Twinsburg, Ohio 44087
USA
Phone: +1 330 425-3555
E-mail: [email protected].com
Asia Headquarters
Pepperl+Fuchs Pte. Ltd.
P+F Building
18 Ayer Rajah Crescent
Singapore 139942
Phone: +65 6779-9091
E-mail: [email protected]
https://www.pepperl-fuchs.com
3
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Contents
2019-11
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Content of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 Standards and Directives for Functional Safe . . . . . . . . . . . . . . . . . . . . . 9
3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1 System Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4 Mounting and Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.1 Mounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1 Internal Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Proof Test Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Contents
4
2019-11
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction
2019-12
5
1 Introduction
1.1 Content of this Document
This document contains information for usage of the device in functional safety-related
applications. You need this information to use your product throughout the applicable stages
of the product life cycle. These can include the following:
•Product identification
•Delivery, transport, and storage
•Mounting and installation
•Commissioning and operation
•Maintenance and repair
•Troubleshooting
•Dismounting
•Disposal
The documentation consists of the following parts:
•Present document
•Instruction manual
•Manual
•Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
•EU-type examination certificate
•EU declaration of conformity
•Attestation of conformity
•Certificates
•Control drawings
•FMEDA report
•Assessment report
•Additional documents
For more information about Pepperl+Fuchs products with functional safety,
see www.pepperl-fuchs.com/sil.
Note
This document does not substitute the instruction manual.
Note
For full information on the product, refer to the instruction manual and further documentation
on the Internet at www.pepperl-fuchs.com.
2019-12
6
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction
1.2 Safety Information
Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance,
and dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel
must have read and understood the instruction manual and the further documentation.
Intended Use
The device is only approved for appropriate and intended use. Ignoring these instructions
will void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant safety standards.
Use the device only
•for the application described
•with specified environmental conditions
•with devices that are suitable for this safety application
Improper Use
Protection of the personnel and the plant is not ensured if the device is not used according
to its intended use.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction
2019-12
7
1.3 Symbols Used
This document contains symbols for the identification of warning messages and
of informative messages.
Warning Messages
You will find warning messages, whenever dangers may arise from your actions.
It is mandatory that you observe these warning messages for your personal safety and in order
to avoid property damage.
Depending on the risk level, the warning messages are displayed in descending order
as follows:
Informative Symbols
Action
This symbol indicates a paragraph with instructions. You are prompted to perform an action
or a sequence of actions.
Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.
Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.
Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and plants,
or result in their complete failure.
Note
This symbol brings important information to your attention.
2019-12
8
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Product Description
2 Product Description
2.1 Function
General
This signal conditioner provides the galvanic isolation between field circuits
and control circuits.
The energized to safe (ETS) function is permitted for SIL 3 applications.
An internal fault or a line fault is signalized by the impedance change of the relay contact input
and an additional relay contact output.
A fault is signalized by LEDs and a separate collective error message output.
KFD2-RSH-1.2E.L2(-Y1)
The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 60 V DC and the 24 V DC control circuit.
KFD2-RSH-1.2E.L3(-Y1)
The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 230 V AC and the 24 V DC control circuit.
Y1 Version
This device is compatible to the following control: Emerson DeltaV CHARM.
Compatibility check to other ESD/DCS systems on request.
2.2 Interfaces
The device has the following interfaces:
•Safety-relevant interfaces: input, output (ETS)
•Non-safety relevant interfaces: fault indication output
Note
For corresponding connections see datasheet.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Product Description
2019-12
9
2.3 Marking
2.4 Standards and Directives for Functional Safe
Device-specific standards and directives
Pepperl+Fuchs Group
Lilienthalstraße 200, 68307 Mannheim, Germany
Internet: www.pepperl-fuchs.com
KFD2-RSH-1.2E.L2, KFD2-RSH-1.2E.L2-Y1,
KFD2-RSH-1.2E.L3, KFD2-RSH-1.2E.L3-Y1
Up to SIL 3
Functional safety IEC/EN 61508, part 1 –2, edition 2010:
Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)
2019-12
10
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
3 Planning
3.1 System Structure
3.1.1 Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one
for the functional safety, then usually the demand rate for the safety loop is assumed to be less
than once per year.
The relevant safety parameters to be verified are:
•the PFDavg value (average Probability of dangerous Failure on Demand)
and the T1value (proof test interval that has a direct impact on the PFDavg value)
•the SFF value (Safe Failure Fraction)
•the HFT architecture (Hardware Fault Tolerance)
3.1.2 High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher
than once per year.
The relevant safety parameters to be verified are:
•the PFH value (Probability of dangerous Failure per Hour)
•Fault reaction time of the safety system
•the SFF value (Safe Failure Fraction)
•the HFT architecture (Hardware Fault Tolerance)
3.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (s + dd) / (s + dd + du)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but
is not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction
of elements, subsystems and the complete system, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
2019-12
11
3.2 Assumptions
The following assumptions have been made during the FMEDA:
•Failure rates are constant, wear is not considered.
•Failure rate based on the Siemens standard SN 29500.
•The safety-related device is considered to be of type A device with a hardware
fault tolerance of 0.
•The device will be used under average industrial ambient conditions comparable
to the classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar
to IEC/EN 60654-1 Class C with an average temperature over a long period of time
of 40 ºC may be assumed. For a higher average temperature of 60 ºC, the failure rates
must be multiplied by a factor of 2.5 based on experience. A similar factor must be used
if frequent temperature fluctuations are expected.
•The nominal voltage at the digital input is 24 V. Ensure that the nominal voltage
does not exceed 26.4 V under all operating conditions.
•To achieve the safe state even in the case of an internal device fault, the DO card
must be able to supply a signal current of at least 100 mA.
•Observe the useful lifetime limitations of the output relays.
SIL 3 application
•To build a SIL safety loop for the defined SIL, it is assumed as an example that this device
uses 10 % of the available budget for PFDavg/PFH.
•For a SIL 3 application operating in low demand mode the total PFDavg value
of the SIF (Safety Instrumented Function) should be smaller than 10-3,
hence the maximum allowable PFDavg value would then be 10-4.
•For a SIL 3 application operating in high demand mode the total PFH value
of the SIF should be smaller than 10-7 per hour, hence the maximum allowable PFH value
would then be 10-8 per hour.
•For a SIL 3 application operating in high demand mode the internal fault detection
and the line fault detection must be enabled. The fault indication output,
the collective error message output, or the input impedance change must be monitored.
In case of detected faults the necessary reaction must be introduced.
•If the device is used in applications for high demand mode, perform a risk analysis
regarding systematic faults and implement suitable measures to control these systematic
faults. For example, this can be the following measures:
•usage of redundant power supplies,
•monitoring of input signal, wiring and connections for short circuits and open circuits,
•monitoring the output for open circuits.
•Since the safety loop has a hardware fault tolerance of 0 and it is a type A device,
the SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.
SILCL and PL application
•The standards IEC/EN 62061 and EN/ISO 13849-1 require that the safety device
is implemented according to the idle current principle. As the device is implemented
following the working current principle, no safety classification according
to IEC/EN 62061 and EN/ISO 13849-1 was carried out. If you use the device
in machinery safety applications, assess the specific application and show that
an equivalent safety level will be achieved.
2019-12
12
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
3.3 Safety Function and Safe State
Safety Function
Whenever the input of the device is energized, the ETS output is conducting.
Safe State
In the safe state of the safety function the ETS output is closed (conducting).
Reaction Time
The fault reaction time is < 2 s.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
2019-12
13
3.4 Characteristic Safety Values
Parameters Characteristic values
Assessment type and
documentation
Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function Output is energized (ETS, energized to safe)
without diagnosis with diagnosis
HFT 0
SIL 3
SC 3
s1300 FIT 300 FIT
dd 0 FIT 2.81 FIT
du23.47 FIT 0.65 FIT
total (safety function)1304 FIT 304 FIT
total 2052 FIT 2052 FIT
SFF 198.8 % 99.8 %
MTBF 356 years 56 years
DCavg 40 % 81.2 %
PTC 81.2 % 81.2 %
PFH 3.47 x 10-9 1/h 6.52 x 10-10 1/h
PFDavg for T1 = 1 year 54.1 x 10-5 7.6 x 10-6
PFDavg for T1 = 2 years 45.3 x 10-5 1.0 x 10-5
PFDavg for T1 = 3 years 46.6 x 10-5 1.2 x 10-5
T1 max. 66.5 years 35.0 years
Reaction time 7<2s
Table 3.1
1"No effect failures" are not influencing the safety function and are therefore not included in SFF and in the failure rates
of the safety function.
2While the diagnostic function is signaling the dangerous failure of one relay, the other two redundant relays continue to provide
the safety function. Exceptions are common cause failures that disrupt all three relays. While the diagnostic function is signaling
the failure, the probability of a dangerous undetected failure for the remaining two relays is increasing to 11.4 FIT.
3acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. The value is calculated
for one safety function of the device.
4Enable the internal fault detection to achieve a diagnostic coverage of 81.2 %. See chapter 5.1.
5Since the current PTC value is < 100 % and therefore the probability of failure will increase, calculate the PFD value according
to the following formula:
PFDavg = (du / 2) x (PTC x T1 + (1 – PTC) x Tservice)
A service time Tservice of 10 years was assumed for the calculation of PFDavg.
6assuming 10 % of the PFDavg budget in the safety loop, T1= Tservice
7Step response time, also valid under fault conditions (including fault detection and fault reaction)
2019-12
14
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken
from the FMEDA report. Observe that PFD and T1 are related to each other.
The function of the devices has to be checked within the proof test interval (T1).
3.5 Useful Lifetime
Although a constant failure rate is assumed by the probabilistic estimation this only applies
provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime,
the result of the probabilistic estimation is meaningless as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on the component itself
and its operating conditions – temperature in particular. For example, the electrolytic
capacitors can be very sensitive to the operating temperature.
This assumption of a constant failure rate is based on the bathtub curve, which shows
the typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that have
this constant domain and that the validity of the calculation is limited to the useful lifetime
of each component.
It is assumed that early failures are detected to a huge percentage during the installation
and therefore the assumption of a constant failure rate during the useful lifetime is valid.
The standard EN/ISO 13849-1:2015 proposes a useful lifetime TM of 20 years for devices
used within industrial environments. This device is designed for this lifetime.
Observe that the useful lifetime can be reduced if the device is exposed to the following
conditions:
•highly stressful environmental conditions such as constantly high temperatures
•temperature cycles with high temperature differences
•permanent repeated mechanical stress (vibration)
As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the manufacturer
and plant operator can extend the useful lifetime.
Please note that the useful lifetime refers to the (constant) failure rate of the device.
The effective lifetime can be higher.
The estimated useful lifetime is greater than the warranty period prescribed by law
or the manufacturer's guarantee period. However, this does not result in an extension
of the warranty or guarantee services. Failure to reach the estimated useful lifetime
is not a material defect.
Derating
For the safety application, reduce the number of switching cycles or the maximum current.
A derating to 2/3 of the maximum value is adequate.
Maximum Switching Power of Output Contacts
The useful lifetime is limited by the maximum switching cycles of the relays
under load conditions.
For requirements regarding the connected output load, refer to the documentation
of the connected peripheral devices.
Note
See corresponding datasheets for further information.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Mounting and Installation
2019-12
15
4 Mounting and Installation
Mounting and Installing the Device
1. Observe the safety instructions in the instruction manual.
2. Observe the information in the manual.
3. Observe the requirements for the safety loop.
4. Connect the device only to devices that are suitable for this safety application.
5. Check the safety function to ensure the expected output behavior.
4.1 Mounting
Tighten the terminal screws with a torque of 0.5 ... 0.6 Nm.
4.2 Configuration
Configuring the Device
The device is configured via DIP switches. The DIP switches are on the side of the device.
1. De-energize the device before configuring the device.
2. Remove the device.
3. Configure the device via the DIP switches.
4. Secure the DIP switches to prevent unintentional adjustments.
5. Mount the device.
6. Connect the device again.
4.2.1 Output Configuration
Note
The device configuration via DIP switches is not safety relevant.
Note
See corresponding datasheets for further information.
Switch Line fault detection Internal fault detection
S1 S2
Off Off disabled disabled
On Off enabled disabled
Off On not used
On On enabled enabled
Table 4.1
2019-12
16
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation
5 Operation
Operating the device
1. Observe the safety instructions in the instruction manual.
2. Observe the information in the manual.
3. Use the device only with devices that are suitable for this safety application.
4. Correct any occurring safe failures within 8 hours. Take measures to maintain
the safety function while the device is being repaired.
Danger!
Danger to life from missing safety function
If the safety loop is put out of service, the safety function is no longer guaranteed.
•Do not deactivate the device.
•Do not bypass the safety function.
•Do not repair, modify, or manipulate the device.
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation
2019-12
17
5.1 Internal Diagnosis
With enabled internal fault detection a diagnostic coverage of 81.2 % is achieved.
Monitor one of the 4 possible ways of fault detection:
•Input impedance change 1
•Fault indication output
•Collective error message output
•LED indication
The device has three output relays. To ensure a complete diagnosis, three switching
operations are necessary. You have 2 options to achieve the diagnostic coverage, see step 2
of the following section.
Internal Diagnosis Procedure
1. Enable the internal fault detection. See chapter 4.2.1.
2. You have 2 options to achieve the diagnostic coverage:
•Switch on the output manually three times.
or
Observe whether the output switches on three times during the normal operation.
or
•Check the output function at periodic intervals. Switch on the output at least three times a
year as described in the steps 1 and 2.
1In this case only use a safety PLC with digital output and line fault detection.
Note
Maintain a distance of at least 2 s between the switching processes.
2019-12
18
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation
5.2 Proof Test Procedure
This section describes a possible proof test procedure. The user is not obliged to use
this proposal. The user may consider different concepts with an individual determination
of the respective effectiveness, e. g. concepts according to NA106:2018.
According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal potential
dangerous failures that are not detected otherwise.
Check the function of the subsystem at periodic intervals depending on the applied PFDavg
in accordance with the characteristic safety values. See chapter 3.4.
The internal fault detection may be used to implement a proof test. The diagnostic coverage
is then counting as the proof test coverage. See chapter 3.4.
It is under the responsibility of the plant operator to define the type of proof test and the interval
time period.
Conditions
If the conditions are met, you can also check the device in the application.
KFD2-RSH-1.2E.L2(-Y1) KFD2-RSH-1.2E.L3(-Y1)
Load power supply > 5 V DC > 35.5 V AC
Device power supply (LED
PWR is on)
24 V DC 24 V DC
Output load 13.2 < R < 7.3 k39.2 < R < 45 k
Current through load 14 mA < I < 1.9 A 13.5 mA AC < I < 4.9 A AC
Input current 36 mA 36 mA
Table 5.1
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation
2019-12
19
Proof Test Procedure
1. Enable the internal fault detection and the line fault detection. See chapter 4.2.1.
2. Check the device as shown in the following tables.
3. After check reset the device to the necessary settings.
4. Check the correct behavior of the safety loop. Is the configuration correct?
Only if all tests are successfully done, the proof test is successful.
Test No. Input Output
1 V = 0 V DC between terminals 7+ and 8-
2 Wait at least 2 seconds. •LED OUT is off.
•LED FLT is off 1.
3 V = 24 V DC between terminals 7+ and 8-
4 Wait at least 2 seconds. •LED OUT is on.
•LED FLT is off 1.
5 V = 0 V DC between terminals 7+ and 8-
6 Wait at least 2 seconds. •LED OUT is off.
•LED FLT is off 1.
7 V = 24 V DC between terminals 7+ and 8-
8 Wait at least 2 seconds. •LED OUT is on.
•LED FLT is off 1.
9 V = 0 V DC between terminals 7+ and 8-
10 Wait at least 2 seconds. •LED OUT is off.
•LED FLT is off 1.
11 V = 24 V DC between terminals 7+ and 8-
12 Wait at least 2 seconds. •LED OUT is on.
•LED FLT is off 1.
Table 5.2 Expected test results for the proof test
1When the FLT LED flashes, a line fault is present. Check whether the supply voltage and the connected load are in the OK area
of the line fault detection.
When the FLT LED is lit continuously, an internal fault is present. Reset the internal fault by interrupting the power supply
(terminals 14+/15-).
2019-12
20
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation
5.3 Application Examples
5.3.1 Standard Application for Dual Pole Switching
For a switching application, the device has to be attached to the process control system
and the load the following way.
Figure 5.1 Standard application for dual pole switching
In the standard application, the process control system is connected to terminals 7+ and 8-.
The line fault transparency (LFT) of the safety relay must be compatible with the line fault
detection of the process control system output. Terminals 10 and 11 can be used as fault
indication output to the process control system.
The characteristic safety values valid for the standard application can be found in Table 3.1
KFD2-RSH-1.2E.L2(-Y1)
KFD2-RSH-1.2E.L3(-Y1)
7+
6
3
2-
ETS 8-
10
11
Zone 2
24 V DC
14+
15-
Power Rail
24 V DCFault
5+
V
This manual suits for next models
3
Table of contents
Other Pepperl+Fuchs Relay manuals
