Table of Contents Table of Contents
Previous Page  139 / 443 Next Page
Information
Show Menu
Previous Page 139 / 443 Next Page
Page Background

CONFIDENTIAL acc. to ISO 16016

Only valid as long as released in EDM or with a valid production documentation!

scale: 1:1

date: 2011-Jan-17

respons.

DP.HSU

approved

FS-0013PF-20C

Mannheim

FMEDA – Hardware Assessment

KF**-CRG2-**1.D

norm

sheet

5

of

10

template: FTM-0027_1

The listed failure rates are valid for operating stress conditions typical of an industrial field

environment similar to IEC 60654-1 class C (sheltered location) with an average

temperature over a long period of time of 40°C. For a higher average temperature of 60°C,

the failure rates should be multiplied with an experience based factor of 2,5. A similar

multiplier should be used, if frequent temperature fluctuation must be assumed.

The hardware assessment according to IEC 61508 has shown that the Transmitter Supply

Isolators KF**-CRG2-*** have a PFD

AVG

within the allowed range for SIL 2 according to

table 2 of IEC 61508-1 and a Safe Failure Fraction (SFF) of > 83%. Based on the

verification of “prior use” they can be used as a single device for SIL2 Safety Functions in

terms of IEC 61511-1 First Edition 2003-01.

A user of Transmitter Supply Isolators KF**-CRG2-*** can utilize these failure rates in a

probabilistic model of a safety instrumental function (SIF) to determine suitability in part for

safety instrumented system (SIS) usage in a particular safety integrity level (SIL).

2. Description of the Failure Categories

In order to judge the failure bahaviour of the module KF**-CRG2-**.1D the following

definitions for the failure of the product were considered:

Relay output:

Fail safe state:

The fail-safe state is defined as the output being de-energized (output

relay contact is not conducting).

Safe state:

A safe failure (S) is defined as a failure that causes the module /

(sub)system to go to the defined fail-safe state without a demand from

the process.

Dangerous:

A dangerous failure (D) is defined as a failure that does not respond to

a demand from the process (i.e being unable to go to the defined fail-

safe state). The output remains energized.

No Effect:

Failure of a component that is part of the safety function but has no

effect on the safety function. For the calculation of the SFF it is treated

like a safe undetected failure.

Not part:

Not part means that this component is not part of the safety function,

but part of the circuit diagram and is listed for completeness. When

calculating the SFF this failure mode is not taken into account. It is

also not part of the total failure rate (

λ

total (Safety function)

).

Released EDM checkout 23.02.2011

1 134 135 136 137 138 139 140 141 142 143 144 145 442-443 P & I Design Ltd