PFH as a target parameter to measure the hardware safety integrity of the SCS

The parameter used to define the safety performance of the SIL (Safety Integrity Level) is the probability of dangerous failure/hour (PFHd). The higher the SIL, the less likely the SCS does not perform the required safety function.

The SIL must be defined for each safety-related function resulting from risk analysis.

Table 3 of the Standard gives a correspondence between SIL and PFH

SIL limits and PFH values
SIL limits and PFH values
1 < 10-5
2 < 10-6
3 < 10-7

Table 3 -SIL limits and PFH values

Determining f the PFH of the SCS

The PFH of an SCS is the sum of the individual values of all subsystems’ PFH participating in the realization of the SCS and shall include the probability of dangerous transmission errors (PTE) for any digital data communication involved.

PFH scs = PFH subsystem 1 + … + PFH subsystem n +PTE

Hardware wiring connecting subsystems are part of systematic integrity and possible dangerous failures on the wiring shall be detected by online diagnostics.

Determining the SIL of the SCS

After having derived the PFH of the SCS, the resulting SIL is found from Table 3. It comes that the maximum SIL is limited by the sum of the PFH values of all subsystems.

The SIL of the SCS can only be equal to or less than the lowest SIL of any of the subsystems participating in the realization of the SCS. However, the PFH values of the single subsystems are not restricted (for example, a SIL 2 subsystem can have a PFH lower than 10-7).

Example

PFHCS = 1,5×10-8 + 2×10-9 + 4×10-8 = 5,7 x 10-8

SIL limits and PFH values
SIL limits and PFH values
1 < 10-5
2 < 10-6
3 < 10-7

It comes that the SIL of this SCS, despite the overall PFH value being suitable for a SIL 3, is limited to SIL 2, being SIL 2 the lower SIL of the three subsystems.

In addition, the safety integrity of the SCS is limited also by the systematic capabilities (for example, environmental influences, EMC, and detection principle).

Requirements for systematic safety integrity

The value of PFH is only one of the parameters that contribute to SIL assignment.
In order to claim a SIL, it is also necessary to prove that all the requirements relating to:

  • The avoidance of systematic hardware failures
  • The control of systematic failures
  • The use of robust and reliable components (complying with product standards, where available)
  • The environmental conditions in which the safety system will have to operate

Have been taken into consideration and complied with and, if it was necessary to write software, to have adopted all the organizational and design aspects relevant for the target SIL.

Safety measures with regards to electromagnetic phenomena

The SCS shall not be affected by electromagnetic Interference to the point of disturbing or making the safety function ineffective in a way that could lead to an unacceptable risk.

Adequate performance with respect to electromagnetic disturbances is therefore mandatory.

When available, only electrical and/or electronic devices or apparatus which meet the requirements of the relevant product standard regarding immunity against electromagnetic phenomena should be used. Examples of such product standards are IEC 61326-3-1, IEC 61800-5- 2, IEC 61496-1, IEC 60947-5-3 (CD stage).

If no dedicated product standard exist addressing electromagnetic influences on functional safety aspects, the generic standard IEC 61000-6-7:2014 should be applied. A comprehensive safety analysis regarding the effects of electromagnetic disturbances on the SCS shall be carried out to derive the immunity limits that are required for the SIL needed.

For pre-designed subsystems according to this standard, the foreseeable electromagnetic threats in the real environment of the equipment should be considered in the SRS. The immunity requirements should be based on the generic standard IEC 61000-6-7:2014 if for the subsystem no relevant dedicated product-family or product standard addressing electromagnetic influences on functional safety exists. For pre-designed subsystems designed according to PL a or PL b of ISO 13849-1 follow the EMI standard applicable is IEC 61000-6-2:2014.

For the integration of SCS into the electrical equipment of the machine EMI measures according to Annex H of IEC 60204-1 should be applied. In particular:

  • Avoid large conductive loops, do not install different electrical wiring systems in common routes, (e.g., power supply, communication, control and signal cables)
  • Use RF-filter and overvoltage and transient protection for safety related input/output signals
  • If applicable, shielded and earthed cables for motors or sine filter between motor and inverter or equivalent measures