You are on page 1of 2

FMEA

IEC 61508
Data Declaration
DOCUMENT NO. MTL08FMEA4521/2

Declaration relating to: MTL4521 and MTL5521

Manufactured and assessed by:


Measurement Technology Limited, Power Court, Luton, Bedfordshire, LU1 3JJ

This document is issued as a summary of the key factors affecting the application of the equipment
as a sub-system being part of a Safety System intended to conform with the requirements of
IEC61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety Systems.
The hardware has been subjected to a Failure Modes and Effects Analysis (FMEA) to determine the
specific failure modes and failure rates with the relevant results presented herein.

Product Description
The MTL4521 and MTL5521 are loop powered modules which enable a device located in the
hazardous area to be controlled from the safe area. The output current available to the hazardous
area is limited to comply with the requirements of IIC gas atmospheres.

Product Failure Categories


The hardware assessment shows that MTL4521 and MTL5521 Solenoid Drivers

have a hardware fault tolerance of 0


are classified as Type A devices

The definitions for product failure of the MTL4521 and MTL5521 were determined as:-

Failure mode Failure rate (FIT)


Output stuck ON 0
Output stuck OFF (no output) 280
Correct operation but reduced output voltage when ON 73
Correct operation (failures have no effect) 83

FMEA/DD4521/07/08 Page 1 of 2
FMEA
IEC 61508
Example of use in a safety function
In this example, the application context is assumed to be:

the safety function de-energise the output on demand

The failure modes shown above can then be defined as

Failure mode Category


Output stuck ON Dangerous undetected, du
Output stuck OFF (no output) Safe undetected, su
Correct operation but reduced output voltage when Safe undetected, su
ON
Correct operation (failures have no effect) Safe undetected, su

According to the definitions of IEC61508 the failure rates for these categories are then (FITs)

Model sd su dd du
MTL4521 or MTL5521 0 436 0 0

In this example, the safe failure fraction is 100% (because the device is loop-powered it is impossible
for it to energise the output unless the input is energised). So the devices meet the hardware
architecture constraints to be used as single devices in Safety Instrumented Functions up to SIL3.
Notes
FITs means failures per 109 hours or failures per thousand million hours.
Source data for this analysis is taken from IEC TR 62380:2004 Reliability Data Handbook.
Failure mode distributions are taken principally from IEC 62061: Safety of Machinery.
Unless the application context is to de-energise on demand, proof testing must be carried
out according to the application requirements, but it is recommended that this be carried out
at least once every three years. For de-energise on demand applications, proof testing is
unnecessary.
Consideration should be made of the normal lifetime for a device of this type which would
be in the region of ten years.
There are no internal diagnostic elements of this product.
For all other product parameters related to its application (voltage range, environment, etc.)
please refer to the published MTL data sheet for this product, available at www.mtl-
inst.com.

Signed on behalf of MTL


Analyst Chief Technical Officer
D I Hammond Jon Malins
Signed: Signed:

Date: 1st July 2008 Date: 18th July 2008

FMEA/DD4521/07/08 Page 2 of 2