Specification of the safety function – KROHNE H250 M9 Safet V1 EN User Manual

4

SPECIFICATION OF THE SAFETY FUNCTION

6

H250

www.krohne.com

02/2012 - 4000656701 MA H250-M9 SIL R02

Specification of the safety function

4.1 Description of the failure categories

In order to judge the failure behavior of the variable-area flowmeter H250/M9 with limit switch
output, the following definitions for the failure of the product were considered.

The "No Effect" failures are provided for those who wish to do reliability modeling more detailed
than required by 61508. In IEC 61508 the "No Effect" failures are defined as safe undetected
failures even though they will not cause the safety function to go to a safe state. Therefore they
need to be considered in the Safe Fraction calculation.

Fail-Safe State

The fail-safe state is defined as the output being de-energized or one of

the 2 limit switches is triggered. Fail Safe Failure that causes the module /

(sub) system to go to the defined fail-safe state without a demand from the

process.

Fail Dangerous

Failure that does not respond to a demand from the process (i.e. being

unable to go to the defined fail-safe state).

Fail Dangerous Undetected

Failure that is dangerous and that is not being diagnosed by internal

diagnostics.

Fail Dangerous Detected

Failure that is dangerous but is detected by internal diagnostics. (These

failures may be converted to the selected fail-safe state.)

Not Effect

Failure of a component that is part of the safety function but that has no

effect on the safety function. For the calculation of the SFF it is treated like

a safe undetected failure.

Not part

Failures of a component which is not part of the safety function but part of

the circuit diagram and is listed for completeness. When calculating the

SFF this failure mode is not taken into account. It is also not part of the

total failure rate.

MA_H250_M9_SIL2_R02_en_656701_PRT.book Page 6 Thursday, March 1, 2012 10:26 AM