Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning
2
01
9-
12
11
3.2
Assumptions
The following assumptions have been made during the FMEDA:
•
Failure rates are constant, wear is not considered.
•
Failure rate based on the Siemens standard SN 29500.
•
The safety-related device is considered to be of type
A
device with a hardware
fault tolerance of
0
.
•
The device will be used under average industrial ambient conditions comparable
to the classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar
to IEC/EN 60654-1 Class C with an average temperature over a long period of time
of 40
º
C may be assumed. For a higher average temperature of 60
º
C, the failure rates
must be multiplied by a factor of 2.5 based on experience. A similar factor must be used
if frequent temperature fluctuations are expected.
•
The nominal voltage at the digital input is 24 V. Ensure that the nominal voltage
does not exceed 26.4 V under all operating conditions.
•
To achieve the safe state even in the case of an internal device fault, the DO card
must be able to supply a signal current of at least 100 mA.
•
Observe the useful lifetime limitations of the output relays.
SIL 3 application
•
To build a SIL safety loop for the defined SIL, it is assumed as an example that this device
uses 10 % of the available budget for PFD
avg
/PFH.
•
For a SIL 3 application operating in low demand mode the total PFD
avg
value
of the SIF (
S
afety
I
nstrumented
F
unction) should be smaller than 10
-3
,
hence the maximum allowable PFD
avg
value would then be 10
-4
.
•
For a SIL 3 application operating in high demand mode the total PFH value
of the SIF should be smaller than 10
-7
per hour, hence the maximum allowable PFH value
would then be 10
-8
per hour.
•
For a SIL 3 application operating in high demand mode the internal fault detection
and the line fault detection must be enabled. The fault indication output,
the collective error message output, or the input impedance change must be monitored.
In case of detected faults the necessary reaction must be introduced.
•
If the device is used in applications for high demand mode, perform a risk analysis
regarding systematic faults and implement suitable measures to control these systematic
faults. For example, this can be the following measures:
•
usage of redundant power supplies,
•
monitoring of input signal, wiring and connections for short circuits and open circuits,
•
monitoring the output for open circuits.
•
Since the safety loop has a hardware fault tolerance of
0
and it is a type
A
device,
the SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.
SILCL and PL application
•
The standards IEC/EN 62061 and EN/ISO 13849-1 require that the safety device
is implemented according to the idle current principle. As the device is implemented
following the working current principle, no safety classification according
to IEC/EN 62061 and EN/ISO 13849-1 was carried out. If you use the device
in machinery safety applications, assess the specific application and show that
an equivalent safety level will be achieved.
