# SAFETY MANUAL

# SIL3 3/4-Wire HART® Transmitter Power Supply, Termination Board Models D6017SS-TB, D6017SK-TB

Approval:



 $T\ddot{U}V~Certificate~No.~C-IS-272994-01,~SIL~3~conforms~to~IEC61508:2010~Ed.2~.\\ SIL~3~Functional~Safety~T\ddot{U}V~Certificate~conforms~to~IEC61508:2010~Ed.2,~for~Management~of~Functional~Safety.$ 

Reference must be made to the relevant sections within the instruction manual ISM0547, which contain basic guides for the installation and configuration of the equipment.



#### **Functional Safety Manual and Application**

#### Application for D6017SS-TB or D6017SK-TB, with input connected to 3/4 Wire Transmitter (Tx)



#### Description:

For this application, use D6017SS-TB for 4 - 20 mA Source current output or D6017SK-TB for 4 - 20 mA Sink current output.

The module is powered by Termination Board connector at 24 Vdc power supply. The green LED is lit in presence of supply power.

The 3/4 Wire Transmitter (Tx) is supplied by Field Supply output Pins 7-8 of D6017-TB module.

Active input signal from 3/4 Wire Transmitter (Tx) is applied to Pins 7-8 (In 1 - Ch.1)

Source or Sink output current are applied to Termination Board connector (Channel 1).

#### Safety Function and Failure behavior:

D6017-TB is considered to be operating in Low Demand mode, as a Type A module, having Hardware Fault Tolerance (HFT) = 0.

The failure behaviour is described from the following definitions:

- □ fail-Safe State: it is defined as the output going to 0 mA due to D6017-TB shutdown.
- □ fail Safe: failure mode that causes the module to go to the defined fail-safe state without a demand from the process.
- 🗆 fail Dangerous: failure mode that does not respond to a demand from the process or deviates the output current by more than 5% (0.8 mA) of full span.
- ☐ fail High: failure mode that causes the output signal to go above the maximum output current (> 20 mA). Assuming that the application program in the safety logic solver is configured to detect High failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.
- □ fail Low: failure mode that causes the output signal to go below the minimum output current (< 4 mA). Assuming that the application program in the safety logic solver is configured to detect Low failure and does not automatically trip on this failure, this failure has been classified as a dangerous detected (DD) failure.
- □ fail "No Effect": failure mode of a component that plays a part in implementing the safety function but that is neither a safe failure nor a dangerous failure. When calculating the SFF, this failure mode is not taken into account.
- □ fail "Not part": failure mode of a component which is not part of the safety function but part of the circuit diagram and is listed for completeness. When calculating the SFF this failure mode is not taken into account.

Failure rate data: taken from Siemens Standard SN29500.

#### Failure rate table:

| Failure category                                                                                                                                       | Failure rates (FIT) |
|--------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| λ <sub>dd</sub> = Total Dangerous Detected failures                                                                                                    | 71.02               |
| $\lambda_{du}$ = Total Dangerous Undetected failures                                                                                                   | 14.98               |
| $\lambda_{sd}$ = Total Safe Detected failures                                                                                                          | 0.00                |
| $\lambda_{su}$ = Total Safe Undetected failures                                                                                                        | 78.51               |
| $\lambda_{tot  safe}$ = Total Failure Rate (Safety Function) = $\lambda_{dd}$ + $\lambda_{du}$ + $\lambda_{sd}$ + $\lambda_{su}$                       | 164.51              |
| MTBF (safety function, one channel) = $(1 / \lambda_{tot  safe}) + MTTR$ (8 hours)                                                                     | 694 years           |
| $\lambda_{\text{no effect}}$ = "No Effect" failures                                                                                                    | 209.88              |
| λ <sub>not part</sub> = "Not Part" failures                                                                                                            | 6.20                |
| $\lambda_{\text{tot device}}$ = Total Failure Rate (Device) = $\lambda_{\text{tot safe}}$ + $\lambda_{\text{no effect}}$ + $\lambda_{\text{not part}}$ | 380.59              |
| MTBF (device) = (1 / λ <sub>tot device</sub> ) + MTTR (8 hours)                                                                                        | 300 years           |

#### Failure rates table according to IEC 61508:2010 Ed.2:

| Ì | $\lambda_{\sf sd}$ | $\lambda_{su}$ | $\lambda_{\sf dd}$ | $\lambda_{du}$ | SFF    |
|---|--------------------|----------------|--------------------|----------------|--------|
|   | 0.00 FIT           | 78.51 FIT      | 71.02 FIT          | 14.98 FIT      | 90.89% |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes ≤10% of total SIF dangerous failures:

| T[Proof] = 1 year                 | T[Proof] = 15 years               |  |
|-----------------------------------|-----------------------------------|--|
| PFDavg = 6.63E-05 Valid for SIL 3 | PFDavg = 9.95E-04 Valid for SIL 2 |  |

PFDavg vs T[Proof] table (assuming Proof Test coverage of 99%), with determination of SIL supposing module contributes >10% of total SIF dangerous failures:

| •     | -        | -      | ,        | •        | • /-                              |   |
|-------|----------|--------|----------|----------|-----------------------------------|---|
|       | T[Pro    | oof] = | 5 years  |          | T[Proof] = 20 years               | Ī |
| PFDav | /a = 3.3 | 32E-04 | Valid fo | or SIL 3 | PFDavg = 1.33E-03 Valid for SIL 2 | Ī |

SC3: Systematic capability SIL 3.

## Testing procedure at T-proof

The proof test shall be performed to reveal dangerous faults which are undetected by diagnostic. This means that it is necessary to specify how dangerous undetected fault, which have been noted during the FMEDA, can be revealed during proof test. **The Proof test 1** consists of the following steps:

| Steps | Action                                                                                                                                                                                                                                                                                                                                |
|-------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1     | Bypass on input the module channel under test, taking appropriate action in order to avoid a false trip, and use the safety-related PLC to read channel output current during the test.                                                                                                                                               |
| 2     | By HART command or other technique, set the transmitter connected to the input of the current repeater in order to go to high alarm current and verify, by the safety -related PLC, that the output current of the repeater reaches that value. This tests for problems related to not sufficient supply for internal input circuits. |
| 3     | By HART command or other technique, set the transmitter connected to the input of the current repeater in order to go to low alarm current and verify, by the safety-related PLC, that the output current of the repeater reaches that value. This tests for possible input circuit quiescent current related failures.               |
| 4     | Remove the bypass from input the module channel, restoring the input loop to full normal operation.                                                                                                                                                                                                                                   |

This test will reveal approximately 30 % of possible Dangerous Undetected failures in the repeater.

## The **Proof test 2** consists of the following steps:

| Steps | Action                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1     | Bypass on input the module channel under test, taking appropriate action in order to avoid a false trip, and use the safety-related PLC to read channel output current during the test.                                                                                                                                                                                                                                                                                                                          |
| 2     | Perform step 2 and 3 of the <b>Proof Test 1</b> .                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| 3     | Perform a two-point calibration (i.e. down scale as 4 mA and full scale as 20 mA) of the transmitter connected to the input of the current repeater. Then set the transmitter to impose some input current values of 4-20 mA range and verify, by the safety-related PLC, that the correspondent output current values of repeater are within the specified accuracy. This proof requires that the transmitter has already been tested without the repeater and it works correctly according to its performance. |
| 4     | Remove the bypass from input the module channel, restoring the input loop to full normal operation.                                                                                                                                                                                                                                                                                                                                                                                                              |

This test will reveal approximately 99 % of possible Dangerous Undetected failures in the repeater.