Kindly Note: For expanding further cooperation with customers, old and new, now we have MTL5544D, MTL5541 and MTL5511 barriers in stock with a special price.
If you have any need, kindly send an inquiry to us !
1 INTRODUCTION SIL
1.1 Application and function
The MTL452x and MTL552x are isolator modules which enable a device located in the hazardous area to be controlled from the safe area. Some models are simply loop-powered while others have additional input logic signals to enable power to be supplied to the output. The output current available to the hazardous area is limited to comply with the requirements of the process explosion hazard. They are also designed and assessed according to IEC 61508 for use in safety instrumented systems up to SIL2 or in loop-powered variant up to SIL3 when the required function is to de-energise the output.
When used in a safety instrumented function where the required operation is to energise the output on demand then a SIL1 rating is achieved.
The modules can drive a certified intrinsically safe low-power load, such as a solenoid valve or a non-energy-storing simple apparatus such as an LED lamp.
There are no configuration switches or operator controls to be set on the modules - they perform a fixed function related to the model selected.
These modules are members of the MTL4500 and MTL5500 Series of products.
2 System Configuration
An MTLx52x loop-powered module may be used in single-channel (1oo1) safety functions up to SIL3 and an MTLx52x separately powered module may similarly be used up to SIL2 where the safe state is to de-energise the output.
The figure below shows the system configuration and specifies detailed interfaces to the safety related and non safety-related system components. It does not aim to show all details of the internal module structure, but is intended to support understanding for the application.
The MTLx52x modules are designed to power a field device such as a solenoid valve in the hazardous area and are driven from a safe-area source. The yellow (hatched) area shows the safety relevant system connection when using the loop-powered configuration. For simplicity the term ‘PLC’ has been used to denote the safety system performing the driving function of the process loop.
2.1 Associated System Components
There are many parallels between the loop components that must be assessed for intrinsic safety as well as functional safety where in both situations the contribution of each part is considered in relation to the whole.
The MTLx52x module is a component in the signal path between safety-related actuators and safety-related control systems.
The solenoid valve, or other field device, must be suitable for the process and have been assessed and verified for use in functional safety applications as well as its certification for hazardous area mounting.
3 Selection of product and implications
For the loop-powered modules there is only one function - to energize the output when power is applied to the input. This may be used as a safety function, preferably with power off as the safe state, i.e de-energise to safe.
When the module is loop powered, the output cannot be energised if the input is de-energised.
There is no significant energy storage within the module that could delay the de-energising of the output. The module can be considered as a dc transformer where the output will de-energise to within 10% of its final value within 100msec with a load up to 4kohms.
Thus, when used in a de-energise to safe function, as identified in the next section the dangerous undetected failures rate λdu for the loop-powered MTL4/5521 modules is less than the maximum failure rate normally applied for SIL3 systems with 1oo1 architecture.
This is considering the hardware failure rate only and the user must consider the systematic implications of applying this equipment in safety functions where a number of safety-related subsystem channels are implemented to achieve the requisite hardware fault tolerance.
For the separately powered modules which are controlled by a logic signal, the hardware failure rate and systematic considerations indicate limiting the use of such modules to simplex (1oo1) loops achieving up to SIL2 for a de-energise to safe function.
Note: When using the modules that are not loop-powered it is important that the solenoids being driven be chosen to ensure that the residual field current that flows in the module OFF state does not cause the solenoid to remain energised. There is a small field current that is used by the module to determine the line condition and some low-power solenoids are capable of remaining in their energised state, once energised, with very small loop currents. If the safe state of the loop is for the solenoid to be OFF then it must be able to drop out, despite the monitoring of line state.
It is important that the effect of electromagnetic interference on the operation of any safety function is reduced where possible. For this reason it is recommended that the cable connections from the logic solver to the isolator modules be a maximum of 30 metres and are not exposed to possible induced surges, keeping them inside a protected environment.
Similarly, operation of the equipment outside of its environmental ratings induces component stress and in particular temperatures below -20ºC are to be avoided to ensure required performance.
4 Assessment of functional safety
The design features and the techniques/measures used to prevent systematic faults are suitable for the use of the loop-powered modules (MTL4/5521/21L/22/23L/25) in safety functions up to SIL3 and for the separately powered modules (MTL4/5523/23x/24/24x/25) up to SIL2 to de-energise the output. When the safety function is to energise the output then a SIL1 rating can be determined.
The hardware assessment shows that MTLx52x solenoid/alarm drivers:
• have a hardware fault tolerance of 0
• are classified as Type A devices (“Non-complex” component with well-defined failure modes)
• There are no internal diagnostic elements of these products.
There are two particular aspects of safety that must be considered when installing the MTL4500 or MTL5500 modules and these are:
• Functional safety
• Intrinsic safety
Reference must be made to the relevant sections within the instruction manual for MTL4500 Series (INM4500) or MTL5500 Series (INM5500) which contain basic guides for the installation of the interface equipment to meet the requirements of intrinsic safety. In many countries there are specific codes of practice, together with industry guidelines, which must also be adhered to.
Provided that these installation requirements are followed then there are no additional factors to meet the needs of applying the products for functional safety use.
To guard against the effects of dust and water the modules should be mounted in an enclosure providing at least IP54 protection degree, or the location of mounting should provide equivalent protection such as inside an equipment cabinet.
In applications using MTL4500 Series, where the environment has a high humidity, the mounting backplanes should be specified to include conformal coating.
To follow the guidelines pertaining to operation and maintenance of intrinsically safe equipment in a hazardous area, yearly periodic audits of the installation are required by the various codes of practice. In addition, proof-testing of the loop operation to conform with functional safety requirements should be carried out at the intervals determined by safety case assessment.
Proof testing must be carried out according to the application requirements, but it is recommended that this be carried out at least once every three years.
Refer to Appendix B for the proof testing procedure of the MTL4500 or MTL5500 modules.
Note that there may also be specific requirements laid down in the E/E/PE operational maintenance procedure for the complete installation.
If an MTL4500 or MTL5500 module is found to be faulty during commissioning or during the normal lifetime of the product then such failures should be reported to MTL. When appropriate, a Customer Incident Report (CIR) will be notified to enable the return of the unit to the factory for analysis. If the unit is within the warranty period then a replacement unit will be sent.
Consideration should be made of the normal lifetime for a device of this type which would be in the region of ten years.