2011-09
8
SAFETY MANUAL SIL KFD2-UT2-(EX)*, HID2082
Planning
2.2 Assumptions
The following assumptions have been made during the FMEDA analysis:
■Failure rates are constant, wear out mechanisms are not included.
■Propagation of failures is not relevant.
■Sufficient tests are performed prior to shipment to verify the absence of
vendor and/or manufacturing defects that prevent proper operation of
specified functionality to product specifications or cause operation different
from the design analyzed.
■All modules are operated in the low demand mode of operation.
■External power supply failure rates are not included.
■Short circuit (SC) detection and Lead Breakage (LB) detection are activated.
■The "HOLD" function is disabled.
■Process related parameters are protected by password.
■Failures during parameterization are not considered.
■Only one input and one output are part of the considered safety function (only
2-channel version).
■The collective error output which signals if the field wiring is broken or shorted
is not considered in the FMEDA and the calculations.
■The characteristics of the current output are set to NE43 (4 mA ... 20 mA).
■The device shall claim less than 10 % of the total failure budget for a SIL2
safety loop.
■For a SIL2 application operating in Low Demand Mode the total PFDavg value
of the SIF (Safety Instrumented Function) should be smaller than 10-2, hence
the maximum allowable PFDavg value would then be 10-3.
■The stress levels are average for an industrial environment and can be
compared to the Ground Fixed Classification of MIL-HNBK-217F.
Alternatively, the assumed environment is similar to:
• IEC 60654-1 Class C (sheltered location) with temperature limits within
the manufacturer's rating and an average temperature over a long period
of time of 40 ºC. Humidity levels are assumed within manufacturer's
rating. For a higher average temperature of 60 ºC, the failure rates should
be multiplied with an experience based factor of 2.5. A similar multiplier
should be used if frequent temperature fluctuation must be assumed.
■The safety-related device is considered to be of type Bcomponents with a
Hardware Fault Tolerance of 0.
■The IEC 61511-1 section 11.4.4 allows devices to be used in applications one
SIL higher than given by table 3 of IEC 61508-2, if the device is proven in use.
The assessment and proven-in-use demonstration lead to the result that the
device may be used in applications up to SIL2. However, it is the responsibility
of the end-user to decide on applying proven-in-use devices.
■Failure rate based on the Siemens SN29500 data base.
■It was assumed that the appearance of a safe error (e. g. output in safe state)
would be repaired within 8 hours (e. g. remove sensor burnout).
