What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching?

Similar documents
Safety Manual OPTISWITCH series relay (DPDT)

Safety Manual VEGAVIB series 60

Safety Manual VEGAVIB series 60

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

PL estimation acc. to EN ISO

New Thinking in Control Reliability

Functional Example CD-FE-I-029-V30-EN Safety-related controls SIRIUS Safety Integrated

Service & Support. Questions and Answers about the Proof Test Interval. Proof Test According to IEC FAQ August Answers for industry.

CT433 - Machine Safety

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

Session: 14 SIL or PL? What is the difference?

Vibrating Switches SITRANS LVL 200S, LVL 200E. Safety Manual. NAMUR With SIL qualification

Applications & Tools. Evaluation of the selection of a safetyrelated mode using non-safety-related components

Safety Manual VEGASWING 61, 63. NAMUR With SIL qualification. Document ID: 52084

Failure Modes, Effects and Diagnostic Analysis

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Accelerometer mod. TA18-S. SIL Safety Report


FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Section 1: Multiple Choice Explained EXAMPLE

Hydraulic (Subsea) Shuttle Valves

Bespoke Hydraulic Manifold Assembly

Introduction to Machine Safety Standards

H250 M9 Supplementary instructions

Failure Modes, Effects and Diagnostic Analysis

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

DSL, DSH: Specially designed pressure limiter

Solenoid Valves For Gas Service FP02G & FP05G

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Section 1: Multiple Choice

Implementing Emergency Stop Systems - Safety Considerations & Regulations A PRACTICAL GUIDE V1.0.0

Failure Modes, Effects and Diagnostic Analysis

Special Documentation Proline Promass 80, 83

Neles trunnion mounted ball valve Series D Rev. 2. Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Neles ValvGuard VG9000H Rev 2.0. Safety Manual

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

SPR - Pneumatic Spool Valve

Table 1: Safety Function (SF) Descriptions

Failure Modes, Effects and Diagnostic Analysis

model for functional safety of

Solenoid Valves used in Safety Instrumented Systems

Continuous Gas Analysis. ULTRAMAT 6, OXYMAT 6 Safety Manual. Introduction 1. General description of functional safety 2

Operating instructions Safety Rope Emergency Stop Switches ZB0052 / ZB0053 ZB0072 / ZB0073

Jamesbury Pneumatic Rack and Pinion Actuator

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Functional Safety SIL Safety Instrumented Systems in the Process Industry

Rosemount 2130 Level Switch

DSB, DSF: Pressure monitors and pressure switches

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

DeZURIK. KSV Knife Gate Valve. Safety Manual

Safe Machinery Handbook

Ultima. X Series Gas Monitor

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

High performance disc valves Series Type BA, BK, BW, BM, BN, BO, BE, BH Rev Safety Manual

Failure Modes, Effects and Diagnostic Analysis

Transmitter mod. TR-A/V. SIL Safety Report

Transducer mod. T-NC/8-API. SIL Safety Report

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects, and Diagnostic Analysis of a Safety Device

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Machine Safety Guide 1

Achieving Compliance in Hardware Fault Tolerance

The Key Variables Needed for PFDavg Calculation

Safe Machinery Handbook

Available online at ScienceDirect. Jiří Zahálka*, Jiří Tůma, František Bradáč

DSB, DSF: Pressure monitors and pressure switches

YT-3300 / 3301 / 3302 / 3303 / 3350 / 3400 /

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Failure Modes, Effects and Diagnostic Analysis

Application Note. Safety Sub-function PUS Category 1, up to PL c. Application Note PUS, Category 1, up to PL c M20 S22 R20 M1 Q20

E28/Q28 Safety Exhaust Valve Externally Monitored

Safety in pneumatic automation

Safety Legislation and Standards

Commissioning and safety manual

TEST REPORT Safety Laboratory-MD Team Report No.: RA/2013/90003

Safety Circuit Design. Heinz Knackstedt Safety Engineer C&E sales, inc.

PROCESS AUTOMATION SIL. Manual Safety Integrity Level. Edition 2005 IEC 61508/61511

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Special Documentation Liquiphant M/S with electronic insert FEL56 + Nivotester FTL325N

THE IMPROVEMENT OF SIL CALCULATION METHODOLOGY. Jinhyung Park 1 II. THE SIL CALCULATION METHODOLOGY ON IEC61508 AND SOME ARGUMENT

Safety-critical systems: Basic definitions

Rosemount 2120 Level Switch

EL-O-Matic E and P Series Pneumatic Actuator SIL Safety Manual

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

P33 Safety Exhaust Valve Externally Monitored. Bulletin 0700-B14 ENGINEERING YOUR SUCCESS.

IST-203 Online DCS Migration Tool. Product presentation

Failure Modes, Effects and Diagnostic Analysis

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

The following gives a brief overview of the characteristics of the most commonly used devices.

The Best Use of Lockout/Tagout and Control Reliable Circuits

Safety manual for Fisher GX Control Valve and Actuator

YT-300 / 305 / 310 / 315 / 320 / 325 Series

High Integrity Pressure Protection Systems HIPPS

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Failure Modes, Effects and Diagnostic Analysis

Application Note. Safety Sub-functions SSC Category 1, up to PL c PUS Category 1, up to PL c. Application Note SSC, PUS, Category 1, up to PL c STOP

L&T Valves Limited SAFETY INTEGRITY LEVEL (SIL) VERIFICATION FOR HIGH INTEGRITY PRESSURE PROTECTION SYSTEM (HIPPS) Report No.

Transcription:

FAQ 01/2015 What safety level can be reached when combining a contactor with a circuitbreaker for fail-safe switching? SIRIUS Safety Integrated http://support.automation.siemens.com/ww/view/en/40349715

This entry is from the Siemens Industry Online Support. The general terms of use (http://www.siemens.com/terms_of_use) apply. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Table of contents 1 Explanation... 3 2 Hardware components... 5 3 Calculation... 6 3.1 ISO 13849-1... 6 3.2 IEC 62061... 8 4 Application examples... 9 5 History... 9 6 Contact/Support... 10 Entry-ID: 40349715, V3.0, 01/2015 2

1 Explanation 1 Explanation Question Answer circuitbreaker for fail-safe switching? Since circuit-breakers do not offer any diagnostic functions, i.e. mirror contacts, they cannot be used as a second functional channel in a safety function. Additionally it would be impractical to trip the circuit-breaker with every fail-safe switching, since it needs to reset manually. However, it is possible to use a circuit-breaker as an output of the test equipment. In combination with a power contactor this conforms to Cat. 2 according to ISO 13849-1 und thus the safety function can reach up to PL d. According to IEC 62061 a hardware fault tolerance (HFT) of 0 can be assumed und thus the safety function can reach up to SILCL 2. Cat. 2 is fulfilled by monitoring the power contactor by a safety evaluation unit and executing a fault reaction within sufficient time in case the power contactors fails (welding of the contacts). In case of a hardware failure, the circuit-breaker is tripped by the means of an undervoltage release. The architecture is thus a single-channel architecture with a specified fault reaction. In addition, the power contactor and the circuit-breaker are well-tried components in accordance with ISO 13849-2. Reason The diagnostic coverage (DC) can be assumed to be 90 %-99 %. Due to the mirror contacts of the power contactor, its diagnostics capability can be assumed to be 99 %. Now it has to be considered that this diagnostics capability alone can trigger or even prevent the fault reaction. It is absolutely necessary that this fact be taken into account. An additional worst case consideration should thus be made by reducing the diagnostic coverage from originally 99 % to 90 % and increasing the associated dangerous failure rate accordingly. Table E.1 of ISO 13849-1 lists additional measures that recommend the use of a 90 % diagnostic coverage. The failure rate of the power contactor is calculated based on the operating cycles. As an example, it is assumed that the safety function is demanded once per week (or 52 times per year). In a worst case consideration, the same demand mode is assumed for the circuit-breaker. Entry-ID: 40349715, V3.0, 01/2015 3

1 Explanation DANGER To avoid an undetected accumulation of faults, the circuit-breaker must be tested after 6-12 months at the latest. This test set-up has to be documented in the description of the safety function and in the operating instructions (of the machine). The tests performed must also be verifiably documented by the user during the phase of use. The set time delay influences the maximum reaction time. It must be ensured that, based on the risk assessment, this reaction time is sufficiently short in the event of a fault. Why can Category 2 according to ISO 13849-1 be used? In accordance with the simplified procedure of ISO 13849-1, Category 2 is a singlechannel tested system: If a dangerous fault occurs, the fault detection is only effective if the test detecting the fault takes place before the next demand of the safety function. Against this background, a test rate is required that is 100 times greater than the demand mode of the safety function. An alternative realization of effective fault detection is not explicitly specified in ISO 13849-1, but also possible. The following relevant information is provided in IEC 62061, 6.3.2: Where a diagnostic function(s) is necessary to achieve the required probability of dangerous random hardware failure and the subsystem has a hardware fault tolerance of zero, then the fault detection and specified fault reaction shall be performed before the hazardous situation addressed by the SRCF can occur. This means: If, after a dangerous fault has occurred, the fault detection and the specified fault reaction can initiate a safe state before a hazardous situation can occur, the requirement of Category 2 is basically met. Why is an evaluation with Category 3 according to ISO 13849-1 inadvisable? Category 3 is characterized by a two-channel architecture. Both channels have to be considered independently of one another. In this case, this independence is not given. Entry-ID: 40349715, V3.0, 01/2015 4

2 Hardware components 2 Hardware components As an example, the following industrial switchgear and switchgear and protective gear for power distribution can be used: Table 2-1 Designation Type B10 value Lifetime T1 Dangerous failure ratio SIRIUS Power contactors 3RT1 3RT2 3TF68 3TF69 1,000,000 1,000,000 1,000,000 1,000,000 73 % 73 % 73 % 73 % SIRIUS Circuit-breakers 3RV1.1, 3RV1.2, 3RV1.3, 3RV1.4 3RV2.1, 3RV2.2 5,000 5,000 10 Years 10 Years With undervoltage release 3RV1902-1A., 3RV2902-1A. SENTRON Circuit-breakers 3VL1-3VL4 3VL5 3VL6 3VL7-3VL8 With undervoltage release 3VL9400-1U.00, 3VL9800-1U.00 10,000 5,000 3,000 1,500 Entry-ID: 40349715, V3.0, 01/2015 5

3 Calculation 3 Calculation 3.1 ISO 13849-1 For architectures of Cat. 2, the calculations of the MTTF d and DC avg only include the functional channel and not the testing channel. Thus the circuit-breaker has no influence on the evaluation of the safety function. However, it is evaluated if the circuit-breaker can withstand the expected operating conditions, i.e. the switching capacity or the operating cycles. 3RT2 power contactor The MTTFd of each channel is calculated as follows: B10 d B10 dangerous failure ratio 1,369,863 [Switching cycles] n op = 52 [Operations/year] B10 = 1,000,000 (manufacturer information, SN 31920) Dangerous failure ratio = 73 % (manufacturer information, SN 31920) B10d MTTF d 2.63 E+05 [years] 0.1 n op 3RV2.1 circuit-breaker, as an output of the test equipment (TE) The MTTFd of each channel is calculated as follows: B10 d B10 dangerous failure ratio 10,000 [Switching cycles] n op = 52 [Operations/year] B10 = 5,000 (manufacturer information, SN 31920) Dangerous failure ratio = (manufacturer information, SN 31920) B10d MTTF d,te 1.92 E+03 [Years] 0.1 n op ISO 13849-1 suggests that for Cat. 2 the MTTF d,te should be higher than half of the MTTF d,l. Since the MTTF d is limited to 100 years, this suggestion is fulfilled. Entry-ID: 40349715, V3.0, 01/2015 6

3 Calculation According to Table 7 of ISO 13849-1 the subsystem Reacting reaches PL d. Cat. 2 DC avg medium (DC = 90 %) MTTF d of each channel is high (>30 Years) (Power contactor) According to Annex K this results in PFH D of 2.29 E-07. Cat. 2 DC avg medium (DC = 90 %) MTTF d of max.100 years (Power contactor) Entry-ID: 40349715, V3.0, 01/2015 7

3 Calculation 3.2 IEC 62061 Since the circuit-breaker is not part of the safety function but instead a diagnostic function, it is not included in the evaluation of the safety function. The probability of dangerous failures λ D of the power contactor is calculated as follows: Operationsper week C 5.95 E-03 [Operations per hour] 7 x 24 hours B10 = 1,000,000 (manufacturer information, SN 31920) Dangerous failure ratio = 73 % (manufacturer information, SN 31920) λ D 0.1 C (dangerous failure ratio) 4.33 E-10 B10 According to Table 5 of IEC 62061 the subsystem Reacting reaches SILCL 2. DC = 90 % SFF = 90 % HFT = 0 According to Subsystem C (zero fault tolerance with a diagnostic function) this results in a PFH D of 4.33 E-11. T 1 = 175,200 [hours] (20 years, 8,760 hours/year) DC = 90 % NOTICE Even if DC = 99 % was selected, max. SIL CL 2 can be achieved. When determining the SFF, the exception in section 6.7.7.2 of IEC 62061 must be additionally considered: For a subsystem with a hardware fault tolerance of zero and where fault exclusions have been applied to faults that could lead to a dangerous failure, then the SILCL due to architectural constraints of that subsystem is constrained to a maximum of SIL 2. Fault exclusions in this case are: - Non-failure of the diagnostic unit by means of the mirror contacts and - Non-failure of the fault reaction (circuit-breaker) during the 6-12 months until the next test of the circuit-breaker by means of undervoltage tripping. Entry-ID: 40349715, V3.0, 01/2015 8

4 Application examples 4 Application examples Table 4-1 Title Entry-ID Emergency stop up to SIL 2 or PL d with a SIRIUS 3SK1 safety relay 38472027 Emergency stop up to SIL 2 or PL d with SIMOCODE motor management system 107192754 5 History Table 5-1 History Version Date Changes V1.0 01.02.2010 First edition V2.0 25.11.2013 Replacement of SIRIUS 3TK28 safety relays by SIRIUS 3SK1 safety relays V3.0 12.11.2014 Change of structure of the FAQ. The illustrated application examples will be published separately and thus deleted from this FAQ. Entry-ID: 40349715, V3.0, 01/2015 9

6 Contact/Support 6 Contact/Support Siemens AG Technical Assistance Tel.: +49 (911) 895-5900 Fax: +49 (911) 895-5907 Email: technical-assistance@siemens.com Internet: www.siemens.com/automation/support-request Entry-ID: 40349715, V3.0, 01/2015 10

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback