Pepperl+Fuchs SIL KFD0-RSH-1, Safety Manual

Page: 6 / 20

2
014-07
6
Safety Manual SIL KFD0-RSH-1(-Y2), KFD2-SL-4
Planning
2 Planning
2.1 System Structure
2.1.1 Low Demand Mode of Operation
If there are two loops, one for the standard operation and another one for the
functional safety, then usually the demand rate for the safety loop is assumed to
be less than once per year.
The relevant safety parameters to be verified are:

the PFD
avg
value (average P robability of F ailure on D emand) and the T
proof
value (proof test interval that has a direct impact on the PFD
avg
)

the SFF value ( S afe F ailure F raction)

the HFT architecture ( H ardware F ault T olerance)
2.1.2 High Demand or Continuous Mode of Operation
If there is only one loop, which combines the standard operation and safety
related operation, then usually the demand rate for this loop is assumed to be
higher than once per year.
The relevant safety parameters to be verified are:

the PFH value ( P robability of dangerous F ailure per H our)

Fault reaction time of the safety system

the SFF value ( S afe F ailure F raction)

the HFT architecture ( H ardware F ault T olerance architecture)
2.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous
detected failures to the total failure rate.
SFF = ( 
s
+ 
dd
) / ( 
s
+ 
dd
+ 
du
)
A safe failure fraction as defined in EN 61508 is only relevant for elements or
(sub)systems in a complete safety loop. The device under consideration is
always part of a safety loop but is not regarded as a complete element or
subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure
fraction of elements, subsystems and the complete system, but not of a single
device.
Nevertheless the SFF of the device is given in this document for reference.
Safety Manual SIL KFD0-RSH-1(-Y2), KFD2-SL-4