Functional Safety KFD2-VR4-Ex1.26
Planning
201
8-03
9
3.2
Assumptions
The following assumptions have been made during the FMEDA:
•
The device will be used under average industrial ambient conditions comparable to
the classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar
to IEC/EN 60654-1 Class C with an average temperature over a long period of time of
40
º
C may be assumed. For a higher average temperature of 60
º
C, the failure rates must
be multiplied by a factor of 2.5 based on experience. A similar factor must be used if
frequent temperature fluctuations are expected.
•
The device shall claim less than 15 % of the total failure budget for a SIL 2 safety loop.
•
For a SIL 2 application operating in low demand mode the total PFD
avg
value of the
SIF (
S
afety
I
nstrumented
F
unction) should be smaller than 1 x 10
-2
, hence the maximum
allowable PFD
avg
value would then be 1.5 x 10
-3
.
•
For a SIL 2 application operating in high demand mode the total PFH value of the
SIF should be smaller than 1 x 10
-6
per hour, hence the maximum allowable PFH value
would then be 1.5 x 10
-7
per hour.
•
Since the safety loop has a hardware fault tolerance of
0
and it is a type
A
device, the
SFF must be > 60 % according to table 2 of IEC/EN 61508-2 for a SIL 2 (sub) system.
•
Failure rate based on the Siemens standard SN29500.
•
Any safe failures that occur (e. g. output in safe state) will be corrected within 8 hours
(e. g. remove sensor fault).
•
While the device is being repaired, measures must be taken to maintain the safety function
(e. g. substitution by a replacement device).
•
Propagation of failures is not relevant.
•
There is no signalization of dangerous failures available at the output of the device.
Therefore any fault detection by external safety devices is not assumed.
