Pepperl+Fuchs KF**-CRG2-Ex1.D, KFD2-CRG2-Ex1.D, KF**-CRG2-1.D Series, KFU8-CRG2-Ex1.D, KFU8-CRG2-1.D Series Manual

2

PROCESS AUTOMATION

MANUAL

Functional Safety

Transmitter Power Supply
KF**-CRG2-(Ex)1.D

ISO9001

Functional Safety KF**-CRG2-(Ex)1.D

With regard to the supply of products, the current issue of the following document is

applicable: The General Terms of Delivery for Products and Services

of the Electrical Industry, published by the Central Association of the Electrical Industry

(Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most recent

version as well as the supplementary clause: "Expanded reservation of proprietorship"

Functional Safety KF**-CRG2-(Ex)1.D

Content

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1 Content of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.4 Standards and Directives for Functional Safety. . . . . . . . . . . . 8

3 Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 System Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.6 Derating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Mounting and Installation . . . . . . . . . . . . . . . . . . . . . . . . 15

4.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.1 Proof Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . 19

7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2017-12

3

Functional Safety KF**-CRG2-(Ex)1.D

Introduction

1Introduction

1.1 Content of this Document

This document contains information for usage of the device in functional safety­related applications. You need this information to use your product throughout the
applicable stages of the product life cycle. These can include the following:

• Product identification

• Delivery, transport, and storage

• Mounting and installation

• Commissioning and operation

• Maintenance and repair

•Troubleshooting

•Dismounting

•Disposal

Note!

This document does not substitute the instruction manual.

Note!

For full information on the product, refer to the instruction manual and further
documentation on the Internet at www.pepperl-fuchs.com.

The documentation consists of the following parts:

•Present document

• Instruction manual

•Manual

• Datasheet

Additionally, the following parts may belong to the documentation, if applicable:

• EU-type examination certificate

• EU declaration of conformity

• Attestation of conformity

• Certificates

• Control drawings

• FMEDA report

• Assessment report

• Additional documents

For more information about functional safety products from Pepperl+Fuchs see
www.pepperl-fuchs.com/sil.

4

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Introduction

1.2 Safety Information

Target Group, Personnel

Responsibility for planning, assembly, commissioning, operation, maintenance,
and dismounting lies with the plant operator.

Only appropriately trained and qualified personnel may carry out mounting,
installation, commissioning, operation, maintenance, and dismounting of the
product. The personnel must have read and understood the instruction manual
and the further documentation.

Intended Use

The device is only approved for appropriate and intended use. Ignoring these
instructions will void any warranty and absolve the manufacturer from any liability.

The device is developed, manufactured and tested according to the relevant
safety standards.

Use the device only

• for the application described

• with specified environmental conditions

• with devices that are suitable for this safety application

Improper Use

Protection of the personnel and the plant is not ensured if the device is not used
according to its intended use.

2017-12

5

Functional Safety KF**-CRG2-(Ex)1.D

Introduction

1.3 Symbols Used

This document contains symbols for the identification of warning messages and
of informative messages.

Warning Messages

You will find warning messages, whenever dangers may arise from your actions.
It is mandatory that you observe these warning messages for your personal safety
and in order to avoid property damage.

Depending on the risk level, the warning messages are displayed in descending
order as follows:

Danger!

This symbol indicates an imminent danger.

Non-observance will result in personal injury or death.

Warning!

This symbol indicates a possible fault or danger.

Non-observance may cause personal injury or serious property damage.

Caution!

This symbol indicates a possible fault.

Non-observance could interrupt the device and any connected systems and
plants, or result in their complete failure.

Informative Symbols

Note!

This symbol brings important information to your attention.

Action

This symbol indicates a paragraph with instructions. You are prompted to perform
an action or a sequence of actions.

6

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Product Description

2 Product Description

2.1 Function

General

The device supplies 2-wire and 3-wire transmitters, and can also be used with
current sources.

Two relays and an active 0/4 mA to 20 mA current source are available as
outputs. The relay contacts and the current output can be integrated in security­relevant circuits. The current output is easily scaled.

On the display the measured value can be indicated in various physical units.

The device is easily configured by the use of keypad or with the PACTware
configuration software.

The input has a line fault detection.

The device is mounted on a 35 mm DIN mounting rail according to EN 60715.

KFD2-CRG2-1.D

This signal conditioner provides the galvanic isolation between field circuits and
control circuits.

The device is supplied by a voltage of 20 V DC to 30 V DC via Power Rail or
terminals.

A fault is signalized by LEDs and a separate collective error message output.

KFD2-CRG2-Ex1.D

This isolated barrier is used for intrinsic safety applications.

The device is supplied by a voltage of 20 V DC to 30 V DC via Power Rail or
terminals.

A fault is signalized by LEDs and a separate collective error message output.

KFU8-CRG2-1.D

This signal conditioner provides the galvanic isolation between field circuits and
control circuits.

The device is supplied by a voltage of 20 V DC to 90 V DC or
48 V AC to 253 V AC via terminals.

A fault is signalized by LEDs.

KFU8-CRG2-Ex1.D

This isolated barrier is used for intrinsic safety applications.

The device is supplied by a voltage of 20 V DC to 90 V DC or
48 V AC to 253 V AC via terminals.

A fault is signalized by LEDs.

2017-12

7

Functional Safety KF**-CRG2-(Ex)1.D

Product Description

2.2 Interfaces

The device has the following interfaces.

• Safety relevant interfaces: input and output

• Non-safety relevant interfaces: collective error message output 
(only KFD2-CRG2-(Ex)1.D)

Note!

For corresponding connections see datasheet.

2.3 Marking

Pepperl+Fuchs GmbH
Lilienthalstraße 200, 68307 Mannheim, Germany

Internet: www.pepperl-fuchs.com

KFD2-CRG2-1.D, KFD2-CRG2-Ex1.D, KFU8-CRG2-1.D, KFU8­CRG2-Ex1.D

2.4 Standards and Directives for Functional Safety

Device-specific standards and directives

Functional safety IEC/EN 61508, part 2, edition 2010:

Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)

System-specific standards and directives

Functional safety IEC/EN 61511, part 1 – 3, edition 2003:

Functional safety – Safety instrumented systems for the

process industry sector (user)

Up to SIL 2

8

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Planning

3 Planning

3.1 System Structure

3.1.1 Low Demand Mode of Operation

If there are two control loops, one for the standard operation and another one for
the functional safety, then usually the demand rate for the safety loop is assumed
to be less than once per year.

The relevant safety parameters to be verified are:

•the PFD
the T

• the SFF value (Safe Failure Fraction)

•the HFT architecture (Hardware Fault Tolerance)

value (average Probability of dangerous Failure on Demand) and

avg

value (proof test interval that has a direct impact on the PFD

1

3.1.2 High Demand or Continuous Mode of Operation

If there is only one safety loop, which combines the standard operation and
safety-related operation, then usually the demand rate for this safety loop is
assumed to be higher than once per year.

The relevant safety parameters to be verified are:

• the PFH value (Probability of dangerous Failure per Hour)

• Fault reaction time of the safety system

• the SFF value (Safe Failure Fraction)

•the HFT architecture (Hardware Fault Tolerance)

3.1.3 Safe Failure Fraction

The safe failure fraction describes the ratio of all safe failures and dangerous
detected failures to the total failure rate.

SFF = (

+ dd) / (s + dd + du)

s

avg

value)

A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or
(sub)systems in a complete safety loop. The device under consideration is
always part of a safety loop but is not regarded as a complete element or
subsystem.

For calculating the SIL of a safety loop it is necessary to evaluate the safe failure
fraction of elements, subsystems and the complete system, but not of a single
device.

Nevertheless the SFF of the device is given in this document for reference.

2017-12

9

Functional Safety KF**-CRG2-(Ex)1.D

Planning

3.2 Assumptions

The following assumptions have been made during the FMEDA:

• Failure rate based on the Siemens standard SN29500.

• Failure rates are constant, wear is not considered.

• External power supply failure rates are not included.

• The collective error message output is not safety relevant.

• The indication of a dangerous failure (via fault bus) is detected within 1 hour by
the programmable logic controller (PLC).

• The safety-related device is considered to be of type B device with a hardware
fault tolerance of 0.

• The device will be used under average industrial ambient conditions, which
are comparable with the classification "stationary mounted" in 
MIL-HDBK-217F. Alternatively, the following ambient conditions are assumed:

• IEC/EN 60654-1 Class C (sheltered location) with temperature limits in the

range of the manufacturer's specifications and an average temperature of

40 ºC over a long period. The humidity level is within manufacturer's rating.
For a higher average temperature of 60 ºC, the failure rates must be

multiplied by a factor of 2.5 based on experience. A similar factor must be
used if frequent temperature fluctuations are expected.

• Since the outputs of the device use common components, these outputs must
not be used in the same safety function.

• Features that extend the reaction time of the output are not considered within
the specified reaction time. It is the user's responsibility to consider this time
within the safety calculation.

• Observe the useful lifetime limitations of the output relays according to the
datasheet.

• The device must be configured for the required safety function before the
commissioning. During the operation any change of the configuration is not
allowed. See chapter 4.1.1.

• The device configuration is protected by a password against changing.

Analog Output

• The application program in the programmable logic controller (PLC) is
configured to detect underrange and overrange failures.

10

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Planning

SIL 2 Application

• The device shall claim less than 10 % of the total failure budget for a SIL 2
safety loop.

• For a SIL 2 application operating in low demand mode the total PFD
of the SIF (Safety Instrumented Function) should be smaller than 10
the maximum allowable PFD

• For a SIL 2 application operating in high demand mode the total PFH value of
the SIF should be smaller than 10
PFH value would then be 10

• Since the control loop has a hardware fault tolerance of 0 and it is a type B
device, the SFF must be > 60 % according to table 2 of IEC/EN 61508-2 for a
SIL 2 (sub) system.

• The IEC/EN 61511-1 section 11.4.4 allows devices to be used in applications
one SIL higher than given by table 3 of IEC/EN 61508-2, if the device is
proven-in-use. The assessment and proven-in-use demonstration lead to the
result that the device may be used in applications up to SIL 2. However, it is
the responsibility of the end-user to decide on applying proven-in-use devices.

avg

-7

per hour.

value would then be 10-3.

-6

per hour, hence the maximum allowable

value

avg

-2

, hence

3.3 Safety Function and Safe State

3.3.1 Safe State

Relay contact output

The safe state is present when the output is de-energized.

Current output

The safe state is present when the output signal is < 4 mA or > 20 mA.

3.3.2 Safety Function

Relay contact output

The safe state is initiated when the input current falls below a certain value (fault
current Min) or exceeds a certain value (fault current Max).

Current output

The device transfers a current value with 5 % accuracy related to the full scale of
the output.

3.3.3 Reaction Time

The reaction time for all safety functions is < 1 s.

Note!

See corresponding datasheets for further information.

2017-12

11

Functional Safety KF**-CRG2-(Ex)1.D

Planning

3.4 Characteristic Safety Values

Parameters Characteristic values

Relay contact output Current output

KFD2-CRG2­(Ex)1.D

Assessment type FMEDA report with proven-in-use assessment

KFU8-CRG2­(Ex)1.D

KFD2-CRG2­(Ex)1.D

1

KFU8-CRG2­(Ex)1.D

Device type B

Mode of operation Low demand mode or high demand mode

HFT 0

SIL (SC) 2

Safety function Digital output Analog output

2



s

2



dd

2



du









SFF

2

no effect

2

no part

total (safety function)

total (signal path)

3

165 FIT 213 FIT 137 FIT 177 FIT

70 FIT 79 FIT 74 FIT 83 FIT

114 FIT 108 FIT 90 FIT 81 FIT

164 FIT 194 FIT 151 FIT 178 FIT

35.8 FIT 34.4 FIT 35.0 FIT 34.8 FIT

348 FIT 399 FIT 300 FIT 341 FIT

548 FIT 628 FIT 486 FIT 554 FIT

67 % 72 % 70 % 76 %

PTC 99 % 99 % 99 % 99 %

4

MTBF

1

PFH

PFD

for T1 = 1 year 4.96 x 10-4 1/h 4.75 x 10-4 1/h 3.94 x 10-4 1/h 3.56 x 10-4 1/h

avg

PFD

for T1 = 2 years 9.92 x 10-4 1/h 9.50 x 10-4 1/h 7.88 x 10-4 1/h 7.12 x 10-4 1/h

avg

PFD

for T1 = 5 years 2.48 x 10-3 1/h

avg

Reaction time

6

207 years 181 years 234 years 206 years

1.13 x 10-7 1/h

5

1.08 x 10-7 1/h

4

2.37 x 10-3 1/h

4

9.00 x 10-8 1/h 8.10 x 10-8 1/h

4

1.97 x 10-3 1/h

3

1.78 x 10-3 1/h

< 1 s

3

Table 3.1

1

For the proven-in-use demonstration, sales figures, customer returns and questionnaires filled out by
customers were used which show that no unknown systematic faults are expected. The device is based on a
former device that was evaluated for a proven-in-use statement by exida.com GmbH.

2

The failure rates were adapted to most recent date base values. The edition 1 evaluation is still valid for
existing installations.

3

For the calculation of the values acc. to IEC/EN 61508:2010, the "no effect" values are excluded from the
SFF calculation.

4

acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h.

5

For using this proof test interval for the safety application, the usage of more than 10 % of the failure rate for
the safety loop is necessary.

6

Time between fault detection and fault reaction

12

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Planning

Note!

The characteristic values apply to all modes of operation that can be set on the
device.

The characteristic safety values like PFD, PFH, SFF, HFT and T
the FMEDA report. Observe that PFD and T

The function of the devices has to be checked within the proof test interval (T

3.5 Useful Lifetime

Although a constant failure rate is assumed by the probabilistic estimation this
only applies provided that the useful lifetime of components is not exceeded.
Beyond this useful lifetime, the result of the probabilistic estimation is
meaningless as the probability of failure significantly increases with time. The
useful lifetime is highly dependent on the component itself and its operating

conditions – temperature in particular. For example, the electrolytic capacitors

can be very sensitive to the operating temperature.

This assumption of a constant failure rate is based on the bathtub curve, which
shows the typical behavior for electronic components.

Therefore it is obvious that failure calculation is only valid for components that
have this constant domain and that the validity of the calculation is limited to the
useful lifetime of each component.

It is assumed that early failures are detected to a huge percentage during the
installation and therefore the assumption of a constant failure rate during the
useful lifetime is valid.

are taken from

1

are related to each other.

1

).

1

However, according to IEC/EN 61508-2, a useful lifetime, based on general
experience, should be assumed. Experience has shown that the useful lifetime
often lies within a range period of about 8 to 12 years.

As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the
manufacturer and plant operator can extend the useful lifetime.

Our experience has shown that the useful lifetime of a Pepperl+Fuchs product
can be higher if the ambient conditions support a long life time, for example if the

ambient temperature is significantly below 60 °C.

Please note that the useful lifetime refers to the (constant) failure rate of the
device. The effective life time can be higher.

2017-12

13

Functional Safety KF**-CRG2-(Ex)1.D

Planning

Derating

For the safety application, reduce the number of switching cycles or the maximum
current. A derating to 2/3 of the maximum value is adequate.

Maximum Switching Power of Output Contacts

The useful lifetime is limited by the maximum switching cycles of the relays under
load conditions.

Note!

See corresponding datasheets for further information.

14

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Mounting and Installation

4 Mounting and Installation

Installing the Device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.

3. Observe the requirements for the safety loop.

4. Connect the device only to devices that are suitable for this safety application.

5. Check the safety function to ensure the expected output behavior.

4.1 Configuration

Configuring the Device via Keypad

The device is configured via keypad. The keypad for setting the safety functions is
on the front of the device.

1. Open the cover.

2. Configure the device for the required safety function via the keypad, see

chapter 4.1.

3. Protect the device configuration by a password against changing.

4. Leave the parameterization mode to prevent unintentional adjustments.

5. Close the cover.

6. Check the device configuration to ensure the expected output behavior.

7. Document any changes to the device configuration.

2017-12

15

Functional Safety KF**-CRG2-(Ex)1.D

Mounting and Installation

Configuring the Device via PACTware Operating Software

The device can also be configured via the PACTware operating software. The
interface for connecting a personal computer for configuring is on the front of the
device.

1. Open the cover.

2. Connect a personal computer via the K-ADP-USB adapter to the device.

3. Configure the device for the required safety function via the PACTware
operating software, see chapter 4.1.1.

4. Protect the device configuration by a password against changing.

5. Leave the parameterization mode to prevent unintentional adjustments.

6. Disconnect the personal computer from the device.

7. Close the cover.

8. Check the device configuration to ensure the expected output behavior.

9. Document any changes to the device configuration.

Note!

For more information see the manual.

4.1.1 Configuration for Use in Safety Function

Configuring the Device for Use in Safety Function

1. Configure the device for the required safety function via the keypad or the
operating software.

2. Enable the short circuit (SC) detection and lead breakage (LB) detection.

3. Disable the HOLD function.

4. Set the characteristic of the current output to the 4 mA to 20 mA NE 43 mode.

5. Set the fault current of the current output to "Min" or "Max".

6. Protect the device configuration by a password against changing.

Note!

For more information see the manual.

16

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Operation

5Operation

Danger!

Danger to life from missing safety function

If the safety loop is put out of service, the safety function is no longer guaranteed.

• Do not deactivate the device.

• Do not bypass the safety function.

• Do not repair, modify, or manipulate the device.

Operating the device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.

3. Use the device only with devices that are suitable for this safety application.

4. Correct any occurring safe failures within 8 hours. Take measures to maintain
the safety function while the device is being repaired.

5.1 Proof Test

According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal
potential dangerous failures that are not detected otherwise.

Check the function of the subsystem at periodic intervals depending on the
applied PFD
See chapter 3.4.

It is under the responsibility of the plant operator to define the type of proof test
and the interval time period.

Check the settings after the configuration by suitable tests.

Equipment required:

• Digital multimeter with an accuracy of 0.1 %

Use for the proof test of the intrinsic safety side of the device a special digital
multimeter for intrinsically safe circuits.

If intrinsically safe circuits are operated with non-intrinsically safe circuits, they
must no longer be used as intrinsically safe circuits.

• Power supply set to nominal voltage

• Load resistor i. e. 220 , 150 mW

• Simulate the sensor state by a NAMUR sensor simulator for 4 mA to 20 mA

signals. This simulator must also be capable to signal faults 
(i. e. with 2.0 mA or 21.5 mA).

avg

in accordance with the characteristic safety values. 

2017-12

17

Functional Safety KF**-CRG2-(Ex)1.D

Operation

Proof Test Procedure for the Current Output

1. Connect a digital multimeter and the load defined by the application to
terminals 7- and 8+.

2. Set the input current to 4 mA, 12 mA, and 20 mA, depending on the used
configuration.
Measure the output current and the relay function.

The Proof test for the current output is passed if the measured output

values are:

– for 4 mA application: 3.9 mA to 4.1 mA
– for 12 mA application: 11.9 mA to 12.1 mA
– for 20 mA application: 19.9 mA to 20.1 mA

3. Set the input current to 20 mA.
Measure the input voltage on terminals 1+ and 3-.

The proof test for the current output is passed if the measured input

voltage is  15 V.

4. If the line fault detection is activated, remove the current source on terminals
1+ and 3-.

The red LED flashes. The relay is in the high-impedance state.

5. Test the circuit diagnosis by simulating 2.0 mA ±1 % on the input if a MAX
alarm is configured and 21.5 mA ±1 % if a MIN alarm is configured.

The red LED flashes. The relay is in the high-impedance state.

6. Set back the device to the original settings for the current application after the
test.

Multimeter

(V)

NAMUR
sensor
simulator

Zone 0, 1, 2
Div. 1, 2

Multimeter

(mA)

KFD2-CRG2-Ex1.D

Supply +

Supply -

10
11
12

16
17
18

7­8+

1+

2-

3+

mA

Faul t

Supply

Bus

Multimeter

Multimeter

(mA)

220 Ω/150 mW

24 V DC

I supply

supply

(Ω)

Power

Multimeter

(Ω)

Zone 2

Div. 2

Figure 5.1 Proof test set-up for KF**-CRG2-(Ex)1.D

Usage in Zone 0, 1, 2/Div. 1, 2 only for KFD2-CRG2-Ex1.D or KFU8-CRG2-Ex1.D

18

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Maintenance and Repair

6 Maintenance and Repair

Danger!

Danger to life from missing safety function

If the safety loop is put out of service, the safety function is no longer guaranteed.

• Do not deactivate the device.

• Do not bypass the safety function.

• Do not repair, modify, or manipulate the device.

Maintaining, Repairing or Replacing the Device

In case of maintenance, repair or replacement of the device, proceed as follows:

1. Implement appropriate maintenance procedures for regular maintenance of
the safety loop.

2. Ensure the proper function of the safety loop, while the device is maintained,
repaired or replaced.
If the safety loop does not work without the device, shut down the application.
Do not restart the application without taking proper precautions.
Secure the application against accidental restart.

3. Do not repair a defective device. A defective device must only be repaired by
the manufacturer.

4. Replace a defective device only by a device of the same type.

2017-12

19

Functional Safety KF**-CRG2-(Ex)1.D

List of Abbreviations

7 List of Abbreviations

ESD Emergency Shutdown

FIT Failure In Time in 10

FMEDA Failure Mode, Effects, and Diagnostics Analysis



s



dd



du



no effect



not part



total (safety function)

HFT Hardware Fault Tolerance

MTBF Mean Time Between Failures

MTTR Mean Time To Restoration

PCS Process Control System

PFD

avg

PFH Average frequency of dangerous failure

PTC Proof Test Coverage

SFF Safe Failure Fraction

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIL (SC) Safety Integrity Level (Systematic Capability)

SIS Safety Instrumented System

T

1

Probability of safe failure

Probability of dangerous detected failure

Probability of dangerous undetected failure

Probability of failures of components in the safety loop that have
no effect on the safety function. The no effect failure is not used
for calculation of SFF.

Probability of failure of components that are not in the safety loop

Probability of failure of components that are in the safety loop

Average Probability of dangerous Failure on Demand

Proof Test Interval

-9

1/h

20

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Notes

2017-12

21

Functional Safety KF**-CRG2-(Ex)1.D

Notes

22

2017-12

Functional Safety KF**-CRG2-(Ex)1.D

Notes

2017-12

23

Subject to modifications
Copyright PEPPERL+FUCHS • Printed in Germany

www.pepperl-fuchs.com

PROCESS AUTOMATION –
PROTECTING YOUR PROCESS

Worldwide Headquarters

Pepperl+Fuchs GmbH
68307 Mannheim · Germany
Tel. +49 621 776-0
E-mail: info@de.pepperl-fuchs.com

For the Pepperl+Fuchs representative
closest to you check www.pepperl-fuchs.com/contact

DOCT-5896

12/2017