Classification of the Schneider Electric Products
The M580 safety PAC can consist of:
Safety modules, which can perform safety functions, including:
CPU and coprocessor
I/O modules
power supply
Non-interfering modules, which do not perform safety functions, but enable you to add non-safety elements to your safety project.
Because non-interfering modules are not part of the safety loop, they are not part of safety integrity level calculations.
An error detected in a non-interfering module does not negatively impact the execution of the safety functions.
The BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S power supplies are certified. Because they present a negligible dangerous failure rate (<1% of the SIL3 target), the power supply is not included in safety integrity level calculations for the safety loop. As a consequence, neither PFH nor PFD are provided for the power supply modules.
PFD/PFH Values for M580 Safety Modules
Schneider Electric offers the following safety modules certified for use in safety applications. The safety modules are listed with their corresponding probabilities of failure (PFD/PFH) values for different proof test intervals (PTIs). The PFD/PFH are expressed as values that contribute to the overall PFD/PFH of the entire safety loop.
The tables below list the safety modules and their PFD/PFH values for SIL2 and SIL3 applications, where applicable:
Product Type |
Product Reference |
SIL |
PTI = 1 year |
|
|---|---|---|---|---|
PFDG |
PFHG |
|||
CPU with Copro |
BME•58•040S & BMEP58CPROS3 |
SIL31 |
4.38E-07 |
1.00E-10 |
Analog input |
BMXSAI0410 |
SIL32 |
5.76E-06 |
1.31E-09 |
Digital input |
BMXSDI1602 |
SIL32 |
6.81E-06 |
1.56E-09 |
Digital output |
BMXSDO0802 |
SIL31 |
5.75E-06 |
1.31E-09 |
Digital relay output |
BMXSRA0405 |
SIL2 3 |
5.85E-06 |
1.68E-09 |
SIL34 |
5.84E-06 |
1.34E-09 |
||
SIL35 |
– |
1.35E-09 |
||
Power supply |
BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S |
SIL3 |
– |
– |
1. 1 output @ 80° C 2. 1 input @ 80° C 3. 1 relay per output @ 80° C 4. 2 relays per output @ 80° C 5. 4 relays per output @ 80° C |
||||
Product Type |
Product Reference |
SIL |
PTI = 5 years |
|
|---|---|---|---|---|
PFDG |
PFHG |
|||
CPU & Copro |
BME•58•040S & BMEP58CPROS3 |
SIL3 1 |
2.20E-06 |
1.01E-10 |
Analog input |
BMXSAI0410 |
SIL32 |
2.88E-05 |
1.31E-09 |
Digital input |
BMXSDI1602 |
SIL32 |
3.41E-05 |
1.56E-09 |
Digital output |
BMXSDO0802 |
SIL31 |
2.88E-05 |
1.31E-09 |
Digital relay output |
BMXSRA0405 |
SIL2 3 |
2.92E-05 |
1.68E-09 |
SIL34 |
2.92E-05 |
1.34E-09 |
||
SIL35 |
– |
1.35E-09 |
||
Power supply |
BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S |
SIL3 |
– |
– |
1. 1 output @ 80° C 2. 1 input @ 80° C 3. 1 relay per output @ 80° C 4. 2 relays per output @ 80° C 5. 4 relays per output @ 80° C |
||||
Product Type |
Product Reference |
SIL |
PTI = 10 years |
|
|---|---|---|---|---|
PFDG |
PFHG |
|||
CPU & Copro |
BME•58•040S & BMEP58CPROS3 |
SIL31 |
4.44E-06 |
1.02E-10 |
Analog input |
BMXSAI0410 |
SIL32 |
5.76E-05 |
1.31E-09 |
Digital input |
BMXSDI1602 |
SIL32 |
6.81E-05 |
1.56E-09 |
Digital output |
BMXSDO0802 |
SIL31 |
5.75E-05 |
1.31E-09 |
Digital relay output |
BMXSRA0405 |
SIL2 3 |
5.84E-05 |
1.68E-09 |
SIL34 |
5.84E-05 |
1.34E-09 |
||
SIL35 |
– |
1.35E-09 |
||
Power supply |
BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S |
SIL3 |
– |
– |
1. 1 output @ 80° C 2. 1 input @ 80° C 3. 1 relay per output @ 80° C 4. 2 relays per output @ 80° C 5. 4 relays per output @ 80° C |
||||
Product Type |
Product Reference |
SIL |
PTI = 20 years |
|
|---|---|---|---|---|
PFDG |
PFHG |
|||
CPU & Copro |
BME•58•040S & BMEP58CPROS3 |
SIL31 |
9.00E-06 |
1.04E-10 |
Analog input |
BMXSAI0410 |
SIL32 |
1.15E-04 |
1.31E-09 |
Digital input |
BMXSDI1602 |
SIL32 |
1.36E-04 |
1.56E-09 |
Digital output |
BMXSDO0802 |
SIL31 |
1.15E-04 |
1.31E-09 |
Digital relay output |
BMXSRA0405 |
SIL2 3 |
1.17E-04 |
1.68E-09 |
SIL34 |
1.17E-04 |
1.34E-09 |
||
SIL35 |
– |
1.35E-09 |
||
Power supply |
BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S |
SIL3 |
– |
– |
1. 1 output @ 80° C 2. 1 input @ 80° C 3. 1 relay per output @ 80° C 4. 2 relays per output @ 80° C 5. 4 relays per output @ 80° C |
||||
Probabilities of Failure for SIL3 Applications
For SIL3 applications, the IEC 61508 defines the following probabilities of failure on demand (PFD) and probabilities of failure per hour (PFH) for each safety loop, depending on the mode of operation:
PFD ≥ 10-4 to < 10-3 for low demand mode of operation
PFH ≥ 10-8 to < 10-7 for high demand mode of operation
The M580 Safety PAC is certified for use in low and high demand systems.
Safety Integrity Level Sample Calculation
This sample calculation shows you how to determine:
The risk contribution of the Schneider Electric safety modules to your safety application; and
The remaining amount of risk that other devices in the safety loop (for example, sensors and actuators) can contribute to your safety application for a given safety integrity level and mode of operation.
NOTE: When calculating the risk contribution of sensors and actuators to your safety application, contact the manufacturers of these devices and obtain the PFD/PFH values for the appropriate proof test interval.
The following Schneider Electric safety modules are included in this example:
1: BMEP584040S CPU
1: BMEP58CPROS3 Copro
1: BMXSAI0410 Analog input
1: BMXSDO0802 Digital output
1: BMXCPS4002S Power supply
The following calculation employs PFHG values for a high demand mode of operation for a SIL3 safety loop with a PTI of 20 years. The maximum permissible PFH value for this safety application is 10-7 (or 1.0E-7):
Safety module |
Contribution (Scientific Notation) |
Remaining Contribution for Sensors & Actuators |
|
|---|---|---|---|
CPU with Copro |
7.01E-10 |
– |
|
Analog input |
1.31E-09 |
||
Digital output |
1.31E-09 |
||
Power Supply |
– |
||
Total |
numeric |
2.72E-09 |
97.28E-09 |
% max |
2.72% |
97.28% |
|
note 1: The relay output uses four relays to support one output. |
|||
Values for M580 Safety Modules for Machinery
Schneider Electric offers the following safety modules certified for use in safety machinery applications according to ISO13849-1 standard. The table below list the safety modules and their values, category and level where applicable:
Product Type |
Product Reference |
Configuration |
Category |
Performance Level |
MTTFd (years) |
DCav |
|---|---|---|---|---|---|---|
CPU with Copro |
BME•58•040S & BMEP58CPROS3 |
NA |
4 |
e |
235 |
High (>99%) |
Analog input |
BMXSAI0410 |
using 1 channel |
2 |
d |
255 |
99.66% |
using 2 channels |
4 |
e |
255 |
99.66% |
||
Digital input |
BMXSDI1602 |
using 1 channel |
2 |
d |
231 |
99.69% |
using 2 channels |
4 |
e |
231 |
99.69% |
||
Digital output |
BMXSDO0802 |
NA |
4 |
e |
253 |
99.63% |
Digital relay output |
BMXSRA0405 |
using 1 channel |
2 |
c |
156 |
99.77% |
using 2 channels |
4 |
e |
156 |
99.77% |
Values for M580 Safety Modules for Railway
Schneider Electric offers the following safety modules certified for the railway sector according to the Cenelec standards EN50126, EN50128, EN50129. The table below list the safety modules and their reliability values:
Product Type |
Product Reference |
SIL |
TFFR (PTI = 20 years) |
|---|---|---|---|
CPU & Copro |
BME•58•040S & BMEP58CPROS3 |
SIL4 |
1.04E-10 |
Analog input |
BMXSAI0410 |
SIL4 |
1.31E-09 |
Digital input |
BMXSDI1602 |
SIL4 |
1.56E-09 |
Digital output |
BMXSDO0802 |
SIL4 |
1.31E-09 |
Digital relay output |
BMXSRA0405 |
SIL3 1 |
1.68E-09 |
SIL42 |
1.34E-09 |
||
SIL43 |
1.35E-09 |
||
Power supply |
BMXCPS4002S, BMXCPS4022S, and BMXCPS3522S |
SIL4 |
– |
NOTE: SIL values are @
80° C
1. 1 relay per output @ 80° C 2. 2 relays per output @ 80° C 3. 4 relays per output @ 80° C |
|||
The sum of TFFR of an input module, the CPU and Coprocessor, the power supply and an output module is always lower than 3.5E-09/h which is lower than the maximum allocated budget of 40% targeted as the maximum residual failure rate for a SIL4 safety function allowing to integrate other products into the safety loop.
TFFR per hour and function |
SIL Attribute |
10-9 ≤ TFFR ≤ 10-8 |
4 |
10-8 ≤ TFFR ≤ 10-7 |
3 |
10-7 ≤ TFFR ≤ 10-6 |
2 |
10-60 ≤ TFFR ≤ 10-5 |
1 |
Safety Times Description
The M580 safety PAC has a minimum PAC cycle time of 10 ms, which is necessary for processing the signals from the I/O modules, executing the program logic, and setting the outputs. For calculating the maximum PAC reaction time, you need to know the maximum reaction time of the sensors and actuators that are being used. In addition, the maximum PAC reaction time depends on the process safety time (PST) required for your process.
Proof Test Interval
The proof text is a periodic test you need to perform to detect failures in a safety-related system so that, if necessary, the system can be restored to a like new condition or as close as practical to this condition. The time period between these tests is the proof test interval.
The proof test interval depends on the targeted safety integrity level, the sensors, actuators and the PAC application. The M580 safety system is suitable for use in a SIL3 application regarding IEC 61508 and a proof test interval of 20 years.