2011-09
8
SAFETY MANUAL SIL KFD2-UT2-(EX)*, HID2082
Planning
2.2 Assumptions
The following assumptions have been made during the FMEDA analysis:
■ Failure rates are constant, wear out mechanisms are not included.
■ Propagation of failures is not relevant.
■ Sufficient tests are performed prior to shipment to verify the absence of
vendor and/or manufacturing defects that prevent proper operation of
specified functionality to product specifications or cause operation different
from the design analyzed.
■ All modules are operated in the low demand mode of operation.
■ External power supply failure rates are not included.
■ Short circuit (SC) detection and Lead Breakage (LB) detection are activated.
■ The "HOLD" function is disabled.
■ Process related parameters are protected by password.
■ Failures during parameterization are not considered.
■ Only one input and one output are part of the considered safety function (only
2-channel version).
■ The collective error output which signals if the field wiring is broken or shorted
is not considered in the FMEDA and the calculations.
■ The characteristics of the current output are set to NE43 (4 mA ... 20 mA).
■ The device shall claim less than 10 % of the total failure budget for a SIL2
safety loop.
■ For a SIL2 application operating in Low Demand Mode the total PFD
avg
value
of the SIF (Safety Instrumented Function) should be smaller than 10
-2
, hence
the maximum allowable PFD
avg
value would then be 10
-3
.
■ The stress levels are average for an industrial environment and can be
compared to the Ground Fixed Classification of MIL-HNBK-217F.
Alternatively, the assumed environment is similar to:
• IEC 60654-1 Class C (sheltered location) with temperature limits within
the manufacturer's rating and an average temperature over a long period
of time of 40 ºC. Humidity levels are assumed within manufacturer's
rating. For a higher average temperature of 60 ºC, the failure rates should
be multiplied with an experience based factor of 2.5. A similar multiplier
should be used if frequent temperature fluctuation must be assumed.
■ The safety-related device is considered to be of type B components with a
Hardware Fault Tolerance of 0.
■ The IEC 61511-1 section 11.4.4 allows devices to be used in applications one
SIL higher than given by table 3 of IEC 61508-2, if the device is proven in use.
The assessment and proven-in-use demonstration lead to the result that the
device may be used in applications up to SIL2. However, it is the responsibility
of the end-user to decide on applying proven-in-use devices.
■ Failure rate based on the Siemens SN29500 data base.
■ It was assumed that the appearance of a safe error (e. g. output in safe state)
would be repaired within 8 hours (e. g. remove sensor burnout).
To Next Page
Loading...
Need help?
General
