Pepperl+Fuchs HiD2035 User manual
Functional Safety
Current Driver/Repeater
HiD2035, HiD2036
PROCESS AUTOMATION
MANUAL
ISO9001
2
With regard to the supply of products, the current issue of the following document is
applicable: The General Terms of Delivery for Products and Services
of the Electrical Industry, published by the Central Association of the Electrical Industry
(Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most recent
version as well as the supplementary clause: "Expanded reservation of proprietorship"
Functional Safety HiD2035, HiD2036
Functional Safety HiD2035, HiD2036
Content
2016-06
3
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 Standards and Directives for Functional Safety. . . . . . . . . . . . 8
3 Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1 System Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.5 Useful Life Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Mounting and Installation . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.1 Proof Test Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . 18
7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Functional Safety Manual HiD2872, HiC2873(Y1), HiD2876, HiC2877
2016-06
4
Functional Safety HiD2035, HiD2036
Introduction
1Introduction
1.1 Contents
This document contains information for usage of the device in functional safety-
related applications. You need this information to use your product throughout the
applicable stages of the product life cycle. These can include the following:
• Product identification
• Delivery, transport, and storage
• Mounting and installation
• Commissioning and operation
• Maintenance and repair
•Troubleshooting
•Dismounting
•Disposal
The documentation consists of the following parts:
•Presentdocument
• Instruction manual
•Manual
• Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
• EC-type of examination
• EU declaration of conformity
• Attestation of conformity
• Certificates
• Control drawings
• FMEDA report
• Assessment report
• Additional documents
For more information about functional safety products from Pepperl+Fuchs see
www.pepperl-fuchs.com/sil.
Note!
This document does not substitute the instruction manual.
Note!
For full information on the product, refer to the instruction manual and further
documentation on the Internet at www.pepperl-fuchs.com.
Functional Safety KFD2-SR3-(Ex)2.2S
Functional Safety HiD2035, HiD2036
Introduction
2016-06
5
1.2 Safety Information
Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance,
and dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting,
installation, commissioning, operation, maintenance, and dismounting of the
product. The personnel must have read and understood the instruction manual
and the further documentation.
Intended Use
The device is only approved for appropriate and intended use. Ignoring these
instructions will void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant
safety standards.
Use the device only
• for the application described
• with specified environmental conditions
• with devices that are suitable for this safety application
Improper Use
Protection of the personnel and the plant is not ensured if the device is not used
according to its intended use.
1.3 Symbols Used
This document contains symbols for the identification of warning messages and
of informative messages.
Warning Messages
You will find warning messages, whenever dangers may arise from your actions.
It is mandatory that you observe these warning messages for your personal safety
and in order to avoid property damage.
2016-06
6
Functional Safety HiD2035, HiD2036
Introduction
Depending on the risk level, the warning messages are displayed in descending
order as follows:
Informative Symbols
Action
This symbol indicates a paragraph with instructions. You are prompted to perform
an action or a sequence of actions.
Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.
Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.
Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and
plants, or result in their complete failure.
Note!
This symbol brings important information to your attention.
Functional Safety HiD2035, HiD2036
Product Description
2016-06
7
2 Product Description
2.1 Function
This isolated barrier is used for intrinsic safety applications.
The device repeats the 1.5 mA ... 50 mA input signal from a control system to
drive fire and smoke alarms on the field side.
The device drives also I/P converters on the field side.
An open field circuit presents a high impedance to the control side to allow alarm
conditions to be monitored by control systems.
The device is loop powered. From the control side no additional power supply has
to be connected.
A reverse polarity protection prevents damage to the device caused by faulty
wiring.
This device mounts on a HiD Termination Board.
2.2 Interfaces
The device has the following interfaces.
• Safety relevant interfaces:
• 1-channel devices: input I, output I
• 2-channel devices: input I, input II, output I, output II
• Non-safety relevant interfaces: none
2.3 Marking
Note!
For corresponding connections see datasheet.
Pepperl+Fuchs GmbH
Lilienthalstraße 200, 68307 Mannheim, Germany
HiD2035, HiD2036 Up to SIL 2
Functional Safety HiD2035, HiD2036
2016-06
8
Functional Safety HiD2035, HiD2036
Product Description
2.4 Standards and Directives for Functional Safety
Device-specific standards and directives
System-specific standards and directives
Functional safety IEC/EN 61508, part 2, edition 2010:
Functional safety of
electrical/electronic/programmable electronic
safety-related systems (manufacturer)
Functional safety IEC/EN 61511, part 1 –3, edition 2003:
Functional safety –Safety instrumented systems for
the process industry sector (user)
Functional Safety HiD2035, HiD2036
Planning
2016-06
9
3 Planning
3.1 System Structure
3.1.1 Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for
the functional safety, then usually the demand rate for the safety loop is assumed
to be less than once per year.
The relevant safety parameters to be verified are:
•thePFD
avg value (average Probability of dangerous Failure on Demand) and
the T1value(prooftestintervalthathas a direct impact on the PFDavg value)
• the SFF value (Safe Failure Fraction)
•theHFTarchitecture(Hardware Fault Tolerance)
3.1.2 High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and
safety-related operation, then usually the demand rate for this safety loop is
assumed to be higher than once per year.
The relevant safety parameters to be verified are:
• the PFH value (Probability of dangerous Failure per Hour)
• Fault reaction time of the safety system
• the SFF value (Safe Failure Fraction)
•theHFTarchitecture(Hardware Fault Tolerance)
3.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous
detected failures to the total failure rate.
SFF = (s+ dd) / (s+ dd + du)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or
(sub)systems in a complete safety loop. The device under consideration is
always part of a safety loop but is not regarded as a complete element or
subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure
fraction of elements, subsystems and the complete system, but not of a single
device.
Nevertheless the SFF of the device is given in this document for reference.
Functional Safety HiD2035, HiD2036
2016-06
10
Functional Safety HiD2035, HiD2036
Planning
3.2 Assumptions
The following assumptions have been made during the FMEDA:
• The device shall claim less than 10 % of the total failure budget for a
SIL 2 safety loop.
• For a SIL 2 application operating in low demand mode the total PFDavg value
of the SIF (Safety Instrumented Function) should be smaller than 10-2, hence
the maximum allowable PFDavg value would then be 10-3.
• For a SIL 2 application operating in high demand mode the total PFH value of
the SIF should be smaller than 10-6 per hour, hence the maximum allowable
PFH value would then be 10-7 per hour.
• Failure rate based on the Siemens standard SN29500.
• Failure rates are constant, wear is not considered.
• External power supply failure rates are not included.
• The safety-related device is considered to be of type Adevice with a hardware
fault tolerance of 0.
• Since the safety loop has a hardware fault tolerance of 0and it is a
type Adevice, the SFF must be > 60 % according to table 2 of
IEC/EN 61508-2 for a SIL 2 (sub) system.
• The device will be used under average industrial ambient conditions, which
are comparable with the classification "stationary mounted" in
MIL-HDBK-217F. Alternatively, the following ambient conditions are assumed:
• IEC/EN 60654-1 Class C (sheltered location) with temperature limits in the
range of the manufacturer's specifications and an average temperature of
40 ºC over a long period. The humidity level is within manufacturer's rating.
For a higher average temperature of 60 ºC, the failure rates must be
multiplied by a factor of 2.5 based on experience. A similar factor must be
used if frequent temperature fluctuations are expected.
• The application program in the programmable logic controller (PLC) is
configured to detect underrange and overrange failures.
• The devices are not protected against power supply failures. It is within the
responsibility of the user to ensure that low supply voltages are detected and
adequate reaction on this fault is implemented.
Functional Safety HiD2035, HiD2036
Planning
2016-06
11
3.3 Safety Function and Safe State
Safe State
The safe state depends on the respective application. When the output values are
below 3.6 mA or above 50 mA, the device indicates failures that are considered
as dangerous detected.
Safety Function
The device transfers a current from the field side to the control side with an
accuracy of ±1mA.
Reaction Time
The reaction time for all safety functions is < 100 ms.
Note!
For more information see the corresponding datasheets.
2016-06
12
Functional Safety HiD2035, HiD2036
Planning
3.4 Characteristic Safety Values
HiD2035, HiD2036, 1oo1 Structure
The characteristic safety values like PFD, SFF, HFT and T1are taken from the
SIL report/FMEDA report. Observe that PFD and T1are related to each other.
The function of the devices has to be checked within the proof test interval (T1).
Parameters acc. to IEC 61508 Characteristic values
Assessment type and documentation FMEDA report
Device type A
Mode of operation Low Demand Mode or High Demand Mode
HFT 0
SIL (SC) 2
Safety function Current transfer from the field side to the control
side
sd + su1
1"Not considered" failures are considered 50 % as dangerous undetected and 50 % as "No effect". "No effect"
failures are not influencing the safety functions and are therefore not included in the calculation of the SFF.
0 FIT
dd 124 FIT
du171 FIT
total (safety function) 194 FIT
not part 0 FIT
SFF 63 %
PTC 100 %
MTBF 2
2acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. This value
is calculated for one safety function of a device.
298 years
PFH 7.06 x 10-8 1/h
PFDavg for T1= 1 year 3.09 x 10-4
PFDavg for T1= 2 years 6.18 x 10-4
PFDavg for T1= 5 years 1.54 x 10-3
Reaction time < 100 ms
Table 3.1
Functional Safety HiD2035, HiD2036
Planning
2016-06
13
3.5 Useful Life Time
Although a constant failure rate is assumed by the probabilistic estimation this
only applies provided that the useful lifetime of components is not exceeded.
Beyond this useful lifetime, the result of the probabilistic estimation is
meaningless as the probability of failure significantly increases with time. The
useful lifetime is highly dependent on the component itself and its operating
conditions –temperature in particular. For example, the electrolytic capacitors
can be very sensitive to the operating temperature.
This assumption of a constant failure rate is based on the bathtub curve, which
shows the typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that
have this constant domain and that the validity of the calculation is limited to the
useful lifetime of each component.
It is assumed that early failures are detected to a huge percentage during the
installation and therefore the assumption of a constant failure rate during the
useful lifetime is valid.
However, according to IEC/EN 61508-2, a useful lifetime, based on general
experience, should be assumed. Experience has shown that the useful lifetime
often lies within a range period of about 8 ... 12 years.
As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the
manufacturer and plant operator can extend the useful lifetime.
Our experience has shown that the useful lifetime of a Pepperl+Fuchs product
can be higher
• if there are no components with reduced life time in the safety loop (for
example electrolytic capacitors, relays, flash memories, optocoupler) which
can produce dangerous undetected failures and
• if the ambient temperature is significantly below 60 °C.
Please note that the useful lifetime refers to the (constant) failure rate of the
device. The effective life time can be higher.
2016-06
14
Functional Safety HiD2035, HiD2036
Mounting and Installation
4 Mounting and Installation
Installing the device
1. Observe the safety instructions in the instruction manual.
2. Observe the information in the manual.
3. Observe the requirements for the safety loop.
4. Connect the device only to devices that are suitable for this safety application.
5. Check the safety function to ensure the expected output behavior.
4.1 Configuration
A configuration of the device is not necessary and not possible.
Functional Safety HiD2035, HiD2036
Functional Safety HiD2035, HiD2036
Operation
2016-06
15
5Operation
Operating the device
1. Observe the safety instructions in the instruction manual.
2. Observe the information in the manual.
3. Use the device only with devices that are suitable for this safety application.
4. Correct any occurring safe failures within 8 hours. Take measures to maintain
the safety function while the device is being repaired.
5.1 Proof Test Procedure
According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal
potential dangerous failures that are not detected otherwise.
Check the function of the subsystem at periodic intervals depending on the
applied PFDavg in accordance with the characteristic safety values.
See chapter 3.4.
It is under the responsibility of the plant operator to define the type of proof test
and the interval time period.
Equipment required:
• Digital multimeter with an accuracy better than 0.1 %
Use for the proof test of the intrinsic safety side of the device a special digital
multimeter for intrinsically safe circuits.
If intrinsically safe circuits are operated with non-intrinsically safe circuits,
they must no longer be used as intrinsically safe circuits.
• Variable power supply 0 V DC ... 30 V DC
• Process calibrator with current source and current sink function with an
accuracy better than 20 µA
Danger!
Danger to life from missing safety function
If the safety loop is put out of service, the safety function is no longer guaranteed.
• Do not deactivate the device.
• Do not bypass the safety function.
• Do not repair, modify, or manipulate the device.
Functional Safety HiD2035, HiD2036
2016-06
16
Functional Safety HiD2035, HiD2036
Operation
Proof Test Procedure
1. Put out of service the entire safety loop. Protect the safety application by
means of other measures.
2. Prepare a test set-up, see figures below.
3. Test the devices. Verify the current values as given in table below.
4. Set back the device to the original settings for the application after the test.
HiD2035, HiD2036, 1oo1 Structure
Figure 5.1 Proof test set-up for HiD2035, HiD2036
Channel 2 only for HiD2036
Step No. Input value (V) Input value (mA) Measured input current (mA)
1 6 1.50 1.50 ±0.5
214 4.00 4.00 ±0.5
314 20.00 20.00 ±0.5
422 10.00 10.00 ±0.5
522 40.00 40.00 ±0.5
630 5.00 5.00 ±0.5
730 25.00 25.00 ±0.5
830 50.00 50.00 ±0.5
Table 5.1 Steps to be performed for the proof test
HiD2036
SL2
5a
5b
SL1
8a
7a
1a
1b
10a
9a
+
-
1
4
+
-
2
5
11
14
+
-
12
15
+
-
mA
mA
Multimeter
(A)
V
V1
2
Zone 0, 1, 2
Div. 1, 2
Functional Safety HiD2035, HiD2036
Operation
2016-06
17
Tip
The easiest way to test HiD devices by using a stand-alone HiDTB**-SCT-***-**-
** termination board. In this test, it is not necessary to disconnect the wiring of the
existing application. Faults in a subsequent wiring can be avoided.
2016-06
18
Functional Safety HiD2035, HiD2036
Maintenance and Repair
6 Maintenance and Repair
Maintaining, Repairing or Replacing the Device
In case of maintenance, repair or replacement of the device, proceed as follows:
1. Implement appropriate maintenance procedures for regular maintenance of
the safety loop.
2. Ensure the proper function of the safety loop, while the device is maintained,
repaired or replaced.
If the safety loop does not work without the device, shut down the application.
Do not restart the application without taking proper precautions.
Secure the application against accidental restart.
3. Do not repair a defective device. A defective device must only be repaired by
the manufacturer.
4. Replace a defective device only by a device of the same type.
Danger!
Danger to life from missing safety function
If the safety loop is put out of service, the safety function is no longer guaranteed.
• Do not deactivate the device.
• Do not bypass the safety function.
• Do not repair, modify, or manipulate the device.
Functional Safety HiD2035, HiD2036
Functional Safety HiD2035, HiD2036
List of Abbreviations
2016-06
19
7 List of Abbreviations
ESD Emergency Shutdown
FIT Failure In Time in 10-9 1/h
FMEDA Failure Mode, Effects, and Diagnostics Analysis
sProbability of safe failure
dd Probability of dangerous detected failure
du Probability of dangerous undetected failure
no effect Probability of failures of components in the safety loop that have
no effect on the safety function. The no effect failure is not used
for calculation of SFF.
not part Probability of failure of components that are not in the safety loop
total (safety function) Safety function
HFT Hardware Fault Tolerance
MTBF Mean Time Between Failures
MTTR Mean Time To Restoration
PCS Process Control System
PFDavg Average Probability of dangerous Failure on Demand
PFH Average frequency of dangerous failure
PTC Proof Test Coverage
SFF Safe Failure Fraction
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIL (SC) Safety Integrity Level (Systematic Capability)
SIS Safety Instrumented System
T1Proof Test Interval
Functional Safety HiD2035, HiD2036
Subject to modifications
Copyright PEPPERL+FUCHS • Printed in Germany
www.pepperl-fuchs.com
PROCESS AUTOMATION –
PROTECTING YOUR PROCESS
Worldwide Headquarters
Pepperl+Fuchs GmbH
68307 Mannheim · Germany
Tel. +49 621 776-0
E-mail: [email protected]
For the Pepperl+Fuchs representative
closest to you check www.pepperl-fuchs.com/contact
DOCT-5291
06/2016
This manual suits for next models
1
Table of contents
Other Pepperl+Fuchs Repeater manuals
Pepperl+Fuchs
Pepperl+Fuchs KFD0-CS .50 Series User manual
Pepperl+Fuchs
Pepperl+Fuchs KFD0-CS-Ex1.50P User manual
Pepperl+Fuchs
Pepperl+Fuchs KCD2-RR2-Ex1 User manual
Pepperl+Fuchs
Pepperl+Fuchs KFD0-CS 54 Series User manual
Pepperl+Fuchs
Pepperl+Fuchs KFD0-CS 50 Series User manual
Pepperl+Fuchs
Pepperl+Fuchs KFD2-VR4-Ex1.26 User manual
