Safety-related characteristics, Safety-related characteristics 7.1 assumptions – KROHNE H250 M40 Safety V1 EN User Manual

Page 11

SAFETY-RELATED CHARACTERISTICS

H250 M40

www.krohne.com

02/2012 - 4000904201 MA H250 M40 SIL R01 en

Safety-related characteristics

7.1 Assumptions

The following assumptions have been made during the Failure Modes, Effects and Diagnostic
Analysis of the variable-area flowmeter H250 M40.

• Failure rates are constant, wear out mechanisms are not included.
• Propagation of failures is not relevant.
• Failures resulting from incorrect use of the flowmeters H250 M40, in particular humidity

entering through incompletely closed housings or inadequate cable feeding through the
inlets, are not considered.

• Failures during parameterization are not considered
• Sufficient tests are performed prior to shipment to verify the absence of vendor and/or

manufacturing defects that prevent proper operation of specified functionality to product
specifications or cause operation different from the design analyzed.

• The mean time to restoration (MTTR) after safe failure is 24 hours.
• All modules are operated in the low demand mode of operation.
• External power failure rates are not included.
• The HART® protocol at H250 M40 is only used for setup, calibration and diagnostics purpose,

not during safety operation mode.

• Practical fault insertion test can demonstrate the correctness of the failure effects assumed

during FMEDAs.

• The stress levels are average for an industrial outdoor environment and can be compared to

exida Profile 2 or Profile 4 with temperature limits within the manufacture’s rating. Other
environmental characteristics are assumed to be within the manufacturer’s ratings.

• The switching contact outputs are connected to a NAMUR amplifier. The failure rates of the

amplifier are not included in the listed failure rates.

• Only the current output 4...20 mA or the limit switch outputs are used for safety applications.
• Lead breakage and short circuit detection is activated.
• The application program in the safety logic solver is configured to detect under-range and

over-range failures and does not automatically trip on these failures; therefore these failures
have been classified as dangerous detected failures. The failure rates of the safety logic
solver are not included in the listed failures rates.

• No effect failures are included in the “safe undetected” failure category. Note that these

failures on its own will not affect system reliability or safety, and should not be included in
spurious trip calculations.

The variable area flowmeter H250/M40/K*

H250/M40/K*

H250/M40/K* with inductive limit switches are classified as Type A

Type A

subsystems

subsystems (non-complex subsystem according 7.4.3.1.2. of IEC 61508-2) with hardware fault
tolerance HFT=0. For Type A subsystems the SFF has to be > 60% for SIL2 subsystems with a
hardware fault tolerance of 0 (table 2 of IEC 61508-2).

The variable area flowmeter H250/M40/ESK

H250/M40/ESK

H250/M40/ESK with 4…20mA output is classified as Type B

Type B

subsystem

subsystem (complex subsystem according 7.4.3.1.3. of IEC 61508-2) with hardware fault
tolerance HFT=0. For Type B subsystems the SFF has to be > 60% for SIL1 subsystems with a
hardware fault tolerance of 0 (table 3 of IEC 61508-2).

MA_H250_M40_SIL2_R01_en_904201_PRT.book Page 11 Thursday, March 1, 2012 10:08 AM