Safety Manual SIL KCD2-STC-(Ex)1.HC(.SP), HiC2025HC
Planning
2
012-
07
7
2.2
Assumptions
The following assumptions have been made during the FMEDA analysis:
The device shall claim less than 10 % of the total failure budget for a
SIL2 safety loop.
For a SIL2 application operating in Low Demand Mode the total PFD
avg
value
of the SIF (
S
afety
I
nstrumented
F
unction) should be smaller than 10
-2
, hence
the maximum allowable PFD
avg
value would then be 10
-3
.
For a SIL2 application operating in High Demand Mode of operation the total
PFH value of the SIF should be smaller than 10
-6
per hour, hence the
maximum allowable PFH value would then be 10
-7
per hour.
Failure rate based on the Siemens SN29500 data base.
Failure rates are constant, wear out mechanisms are not included.
External power supply failure rates are not included.
The safety-related device is considered to be of type
A
components with a
Hardware Fault Tolerance of
0
.
Since the circuit has a Hardware Fault Tolerance of
0
and it is a type
A
component, the SFF must be > 60 % according to table 2 of IEC 61508-2 for
SIL2 (sub)system.
The stress levels are average for an industrial environment and can be
compared to the Ground Fixed Classification of MIL-HNBK-217F.
Alternatively, the assumed environment is similar to:
• IEC 60654-1 Class C (sheltered location) with temperature limits within
the manufacturer's rating and an average temperature over a long period
of time of 40
º
C. Humidity levels are assumed within manufacturer's
rating. For a higher average temperature of 60
º
C, the failure rates should
be multiplied with an experience based factor of 2.5. A similar multiplier
should be used if frequent temperature fluctuation must be assumed.
During normal operation any change of the operating function (DIP switch
modification) must be prevented.
It was assumed that the appearance of a safe error (e. g. output in safe state)
would be repaired within 8 hours (e. g. remove sensor burnout).
During the absence of the device for repairing, measures have to be taken to
ensure the safety function (for example: substitution by an equivalent device).
The HART protocol is only used for setup, calibration, and diagnostic
purposes, not during normal operation.
The application program in the logic solver must be configured to detect
underrange and overrange failures.