20
17-
11
8
Functional Safety HiC2871A
Planning
3
Planning
3.1
System Structure
3.1.1
Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for
the functional safety, then usually the demand rate for the safety loop is assumed
to be less than once per year.
The relevant safety parameters to be verified are:
• the PFD
avg
value (average
P
robability of dangerous
F
ailure on
D
emand) and
the T
1
value (proof test interval that has a direct impact on the PFD
avg
value)
• the SFF value (
S
afe
F
ailure
F
raction)
• the HFT architecture (
H
ardware
F
ault
T
olerance)
3.1.2
High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and
safety-related operation, then usually the demand rate for this safety loop is
assumed to be higher than once per year.
The relevant safety parameters to be verified are:
• the PFH value (
P
robability of dangerous
F
ailure per
H
our)
• Fault reaction time of the safety system
• the SFF value (
S
afe
F
ailure
F
raction)
• the HFT architecture (
H
ardware
F
ault
T
olerance)
3.1.3
Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous
detected failures to the total failure rate.
SFF = (
s
+
dd
) / (
s
+
dd
+
du
)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or
(sub)systems in a complete safety loop. The device under consideration is
always part of a safety loop but is not regarded as a complete element or
subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure
fraction of elements, subsystems and the complete system, but not of a single
device.
Nevertheless the SFF of the device is given in this document for reference.
Functional Safety HiC2871A
