# SAFETY MANUAL

SIL 2 Repeater Power Supply Hart, DIN-Rail and Termination Board, Models D5015SS, D5015SK

Reference must be made to the relevant sections within the instruction manual ISM0397, which contain basic guides for the installation of the equipment.





### **Description:**

For this application, use D5015SS for 4 - 20 mA Source current output or D5015SK for 4 - 20 mA Sink current output.

The module is powered by connecting 24 Vdc power supply to Pins 5 (+ positive) - 6 (- negative). The green LED is lit in presence of supply power.

Active input signal from external powered Tx is applied to Pins 8-11 (In 1 - Ch.1).

Source or Sink output current are applied to Pins 1-2 (Channel 1).

## Safety Function and Failure behavior:

D5015 is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.

- The failure behaviour is described from the following definitions :
  - □ fail-Safe State: it is defined as the output going to 0 mA due to D5015 shutdown.
  - □ fail Safe: failure mode that causes the module to go to the defined fail-safe state without a demand from the process.
  - □ fail Dangerous: failure mode that does not respond to a demand from the process or deviates the output current by more than 5% (0.8 mA) of full span.
  - □ fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA). Assuming that the application program in the safety logic solver is configured to detect High failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.
  - □ fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA). Assuming that the application program in the safety logic solver is configured to detect Low failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.
  - □ fail "No Effect": failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure.
  - When calculating the SFF, this failure mode is not taken into account.

□ fail "Not part": failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

#### Failure rate table:

| Failure category                                                                                                                | Failure rates (FIT) |
|---------------------------------------------------------------------------------------------------------------------------------|---------------------|
| $\lambda_{dd}$ = Total Dangerous Detected failures                                                                              | 90.36               |
| $\lambda_{du}$ = Total Dangerous Undetected failures                                                                            | 17.23               |
| $\lambda_{sd}$ = Total Safe Detected failures                                                                                   | 0.00                |
| $\lambda_{su}$ = Total Safe Undetected failures                                                                                 | 58.65               |
| $\lambda_{tot safe}$ = Total Failure Rate (Safety Function) = $\lambda_{dd}$ + $\lambda_{du}$ + $\lambda_{sd}$ + $\lambda_{su}$ | 166.24              |
| MTBF (safety function, one channel) = (1 / $\lambda_{tot safe}$ ) + MTTR (8 hours)                                              | 687 years           |
| $\lambda_{no effect}$ = "No Effect" failures                                                                                    | 195.86              |
| $\lambda_{\text{not part}}$ = "Not Part" failures                                                                               | 6.80                |
| $\lambda_{tot device}$ = Total Failure Rate (Device) = $\lambda_{tot safe}$ + $\lambda_{no effect}$ + $\lambda_{not part}$      | 368.90              |
| MTBF (device) = (1 / $\lambda_{tot device}$ ) + MTTR (8 hours)                                                                  | 309 years           |

#### Failure rates table according to IEC 61508:2010 Ed.2 :

|                | -               |                 |                 |        |
|----------------|-----------------|-----------------|-----------------|--------|
| $\lambda_{sd}$ | λ <sub>su</sub> | λ <sub>dd</sub> | λ <sub>du</sub> | SFF    |
| 0.00 FIT       | 58.65 FIT       | 90.36 FIT       | 17.23 FIT       | 89.63% |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

| T[Proof] = 1 year                 | T[Proof] = 13 years               |
|-----------------------------------|-----------------------------------|
| PFDavg = 7.63E-05 Valid for SIL 2 | PFDavg = 9.92E-04 Valid for SIL 2 |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:

T[Proof] = 20 years PFDavg = 1.53E-03 Valid for SIL 2

SC3: Systematic capability SIL 3.

2

## **Functional Safety Manual and Application**

# Application for D5015SS or D5015SK, with passive input (2 wires Tx)



## **Description:**

- For this application, use D5015SS for 4 20 mA Source current output or D5015SK for 4 20 mA Sink current output.
- The module is powered by connecting 24 Vdc power supply to Pins 5 (+ positive) 6 (- negative). The green LED is lit in presence of supply power.
- Passive input signal from external powered Tx is applied to Pins 7-8 (In 1 Ch.1).

Source or Sink output current are applied to Pins 1-2 (Channel 1).

## Safety Function and Failure behavior:

D5015 is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.

- The failure behaviour is described from the following definitions :
  - □ fail-Safe State: it is defined as the output going to 0 mA due to D5015 shutdown.
  - □ fail Safe: failure mode that causes the module to go to the defined fail-safe state without a demand from the process.
  - □ fail Dangerous: failure mode that does not respond to a demand from the process or deviates the output current by more than 5% (0.8 mA) of full span.
  - □ fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA). Assuming that the application program in the safety logic solver is configured to detect High failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.
  - a fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA). Assuming that the application program in the safety logic solver is configured to detect Low failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.</p>
  - □ fail "No Effect": failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure.
  - When calculating the SFF, this failure mode is not taken into account.

□ fail "Not part": failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this failure mode is not taken into account.

Failure rate date: taken from Siemens Standard SN29500.

#### Failure rate table:

| Failure category                                                                                                                   | Failure rates (FIT) |
|------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| $\lambda_{dd}$ = Total Dangerous Detected failures                                                                                 | 79.51               |
| $\lambda_{du}$ = Total Dangerous Undetected failures                                                                               | 16.51               |
| $\lambda_{sd}$ = Total Safe Detected failures                                                                                      | 0.00                |
| $\lambda_{su}$ = Total Safe Undetected failures                                                                                    | 58.65               |
| $\lambda_{tot safe}$ = Total Failure Rate (Safety Function) = $\lambda_{dd}$ + $\lambda_{du}$ + $\lambda_{sd}$ + $\lambda_{su}$    | 154.67              |
| MTBF (safety function, one channel) = (1 / $\lambda_{tot safe}$ ) + MTTR (8 hours)                                                 | 738 years           |
| $\lambda_{no effect}$ = "No Effect" failures                                                                                       | 189.63              |
| $\lambda_{\text{not part}}$ = "Not Part" failures                                                                                  | 24.60               |
| $\lambda_{tot \ device}$ = Total Failure Rate (Device) = $\lambda_{tot \ safe}$ + $\lambda_{no \ effect}$ + $\lambda_{not \ part}$ | 368.90              |
| MTBF (device) = (1 / $\lambda_{tot device}$ ) + MTTR (8 hours)                                                                     | 309 years           |

#### Failure rates table according to IEC 61508:2010 Ed.2 :

|                | •               |                |                 |        |
|----------------|-----------------|----------------|-----------------|--------|
| $\lambda_{sd}$ | λ <sub>su</sub> | $\lambda_{dd}$ | λ <sub>du</sub> | SFF    |
| 0.00 FIT       | 58.65 FIT       | 79.51 FIT      | 16.51 FIT       | 89.32% |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

| T[Proof] = 1 year                 | T[Proof] = 13 years               |
|-----------------------------------|-----------------------------------|
| PFDavg = 7.31E-05 Valid for SIL 2 | PFDavg = 9.50E-04 Valid for SIL 2 |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:

T[Proof] = 20 years PFDavg = 1.46E-03 Valid for SIL 2

SC3: Systematic capability SIL 3.

# Testing procedure at T-proof

The proof test shall be performed to reveal dangerous faults which are undetected by diagnostic. This means that it is necessary to specify how dangerous undetected fault, which have been noted during the FMEDA, can be revealed during proof test. **The Proof test 1** consists of the following steps:

|                                                                                                                                                                                                                                                                                                                  | Steps                                                                                               | Action                                                                                                                                                                                                                                                                |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|                                                                                                                                                                                                                                                                                                                  | 1 Bypass the safety-related PLC or take other appropriate action to avoid a false trip.             |                                                                                                                                                                                                                                                                       |  |
| 2 By HART command or other technique, set the transmitter connected to the input of the repeater in order to go to high alarm current and verify that the current of the repeater reaches that value. This tests for compliance voltage problems such as a low loop power supply voltage or increased wiring re- |                                                                                                     |                                                                                                                                                                                                                                                                       |  |
|                                                                                                                                                                                                                                                                                                                  | 3                                                                                                   | By HART command or other technique, set the transmitter connected to the input of the repeater in order to go to low alarm current and verify that the output current of the repeater reaches that value. This tests for possible quiescent current related failures. |  |
|                                                                                                                                                                                                                                                                                                                  | 4                                                                                                   | Restore the loop to full operation.                                                                                                                                                                                                                                   |  |
|                                                                                                                                                                                                                                                                                                                  | 5                                                                                                   | Remove the bypass from the safety-related PLC or restore normal operation.                                                                                                                                                                                            |  |
| This                                                                                                                                                                                                                                                                                                             | This test will reveal approximately 30 % of possible Dangerous Undetected failures in the repeater. |                                                                                                                                                                                                                                                                       |  |

# The Proof test 2 consists of the following steps:

| Steps | Action                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |  |
|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 1     | Bypass the safety-related PLC or take other appropriate action to avoid a false trip.                                                                                                                                                                                                                                                                                                                                                                                              |  |
| 2     | Perform step 2 and 3 of the Proof Test 1.                                                                                                                                                                                                                                                                                                                                                                                                                                          |  |
| 3     | Perform a two-point calibration (i.e. down scale as 4 mA and full scale as 20 mA) of the transmitter connected to the input of the repeater.<br>Then set the transmitter to impose some input current values of 4-20 mA range and verify that the correspondent output current values of repeater are within<br>the specified accuracy. This proof requires that the transmitter has already been tested without the repeater and it works correctly according to its performance. |  |
| 4     | Restore the loop to full operation.                                                                                                                                                                                                                                                                                                                                                                                                                                                |  |
| 5     | Remove the bypass from the safety-related PLC or restore normal operation.                                                                                                                                                                                                                                                                                                                                                                                                         |  |

This test will reveal approximately 99 % of possible Dangerous Undetected failures in the repeater.