beautypg.com

Specification of the safety function – KROHNE H250 M40 Safety V1 EN User Manual

Page 7

background image

SPECIFICATION OF THE SAFETY FUNCTION

4

7

H250 M40

www.krohne.com

02/2012 - 4000904201 MA H250 M40 SIL R01 en

Specification of the safety function

4.1 Description of the failure categories

In order to judge the failure behaviour of the variable-area flowmeters H250 M40, the following
definitions for the failure of the flowmeter were considered:

H250 M40 with inductive limit switch output

H250 M40 with 4…20mA output

In IEC 61508 the “No Effect” failures are defined as safe undetected failures even though they will
not cause the safety function to go to a safe state. Therefore they need to be considered in the
Safe Failure Fraction calculation.

The demand response time of H250 M40 is < 2s.

Fail - Safe

Failure that causes the subsystem to go to the defined fail-safe state

without a demand from process.

Fail Dangerous Undetected

Failure that is dangerous and that is not being diagnosed by internal

diagnostics.

Fail Dangerous Detected

Failure that is dangerous but is detected by internal diagnostics (These

failures may be converted to the selected fail-safe state)

Fail No Effect

Failure of a component that is part of the safety function but is neither a

safe failure nor a dangerous failure and has no effect on the safety

function. For the calculation of the SFF it is treated like a safe undetected

failure.

Not part

Failures of a component which is not part of the safety function but part of

the circuit diagram and is listed for completeness. When calculating the

SFF this failure mode is not taken into account. It is also not part of the

total failure rate.

Fail-Safe State

The fail-safe state is defined as the output beeing de-energized

Fail Dangerous

Failure that does not respond to a demand from the process (i.e. being

unable to go to the defined fail-safe state)

Fail-Safe State

The fail-safe state is defined as the output exceeding the user defined

threshold

Fail Dangerous

Failure that does not respond to a demand from the process (i.e. being

unable to go to the defined fail-safe state) or that deviates the output

current by more than 2.5% of full span.

Fail High

Failure that causes the output signal to go to the maximum output current

(>21mA) according NAMUR NE43.

Fail Low

Failure that causes the output signal to go to the minimum output current

(< 3.6 mA) according NAMUR NE43.

MA_H250_M40_SIL2_R01_en_904201_PRT.book Page 7 Thursday, March 1, 2012 10:08 AM