2
018-
03
8
Functional Safety KFD2-VR4-Ex1.26
Planning
3
Planning
3.1
System Structure
3.1.1
Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for the functional
safety, then usually the demand rate for the safety loop is assumed to be less than once
per year.
The relevant safety parameters to be verified are:
•
the PFD
avg
value (average
P
robability of dangerous
F
ailure on
D
emand) and the
T
1
value (proof test interval that has a direct impact on the PFD
avg
value)
•
the SFF value (
S
afe
F
ailure
F
raction)
•
the HFT architecture (
H
ardware
F
ault
T
olerance)
3.1.2
High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher than once
per year.
The relevant safety parameters to be verified are:
•
the PFH value (
P
robability of dangerous
F
ailure per
H
our)
•
Fault reaction time of the safety system
•
the SFF value (
S
afe
F
ailure
F
raction)
•
the HFT architecture (
H
ardware
F
ault
T
olerance)
3.1.3
Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (
s
+
dd
) / (
s
+
dd
+
du
)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but
is not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction
of elements, subsystems and the complete system, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
