Pepperl+Fuchs KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3 Original Instructions Manual

ISO9001

PL e

3

Functional Safety

Relay Module
KFD2-RSH-1.2D.FL2,
KFD2-RSH-1.2D.FL3

PROCESS AUTOMATION

ORIGINAL INSTRUCTIONS

With regard to the supply of products, the current issue of the following document is applicable: The General Terms of

Delivery for Products and Services of the Electrical Industry, published by the Central Association of the Electrical

Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most recent version as well as the

supplementary clause: "Expanded reservation of proprietorship"

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Content

2018-06

3

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1 Content of this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Product Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.4 Standards and Directives for Functional Safe. . . . . . . . . . . . . . . . . . . . 8

3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 System Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4 Mounting and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.1 Mounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5.1 Internal Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5.2 Proof Test Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2018-06

4

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Introduction

1Introduction

1.1 Content of this Document

This document contains safety-relevant information for usage of the device. You need this
information to use your product throughout the applicable stages of the product life cycle.
These can include the following:

• Product identification

• Delivery, transport, and storage

• Mounting and installation

• Commissioning and operation

• Maintenance and repair

• Troubleshooting

• Dismounting

• Disposal

The documentation consists of the following parts:

• Present document

• Instruction manual

•Manual

•Datasheet

Additionally, the following parts may belong to the documentation, if applicable:

• EU-type examination certificate

• EU declaration of conformity

• Attestation of conformity

• Certificates

• Control drawings

• FMEDA report

• Assessment report

• Additional documents

For more information about Pepperl+Fuchs products with functional safety, see www.pepperl­fuchs.com/sil.

Note!

For full information on the product, refer to the further documentation on the Internet at
www.pepperl-fuchs.com.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Introduction

2018-06

5

1.2 Safety Information

Target Group, Personnel

Responsibility for planning, assembly, commissioning, operation, maintenance, and
dismounting lies with the plant operator.

Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel must
have read and understood the instruction manual and the further documentation.

Intended Use

The device is only approved for appropriate and intended use. Ignoring these instructions will
void any warranty and absolve the manufacturer from any liability.

The device is developed, manufactured and tested according to the relevant safety standards.

Use the device only

• for the application described

• with specified environmental conditions

• with devices that are suitable for this safety application

Improper Use

Protection of the personnel and the plant is not ensured if the device is not used according to
its intended use.

2018-06

6

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Introduction

1.3 Symbols Used

This document contains symbols for the identification of warning messages and of informative
messages.

Warning Messages

You will find warning messages, whenever dangers may arise from your actions. It is
mandatory that you observe these warning messages for your personal safety and in order to
avoid property damage.

Depending on the risk level, the warning messages are displayed in descending order as
follows:

Informative Symbols

Action

This symbol indicates a paragraph with instructions. You are prompted to perform an action or
a sequence of actions.

Danger!

This symbol indicates an imminent danger.

Non-observance will result in personal injury or death.

Warning!

This symbol indicates a possible fault or danger.

Non-observance may cause personal injury or serious property damage.

Caution!

This symbol indicates a possible fault.

Non-observance could interrupt the device and any connected systems and plants, or result
in their complete failure.

Note!

This symbol brings important information to your attention.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Product Description

2018-06

7

2 Product Description

2.1 Function

General

This signal conditioner provides the galvanic isolation between field circuits and control
circuits.

The de-energized to safe (DTS) function is permitted for SIL 3 and PL e applications.

An internal fault or a line fault is signalized by the impedance change of the relay contact input
and an additional relay contact output.

A fault is signalized by LEDs and a separate collective error message output.

The output must be protected against contact welding by an internal fuse or an external current
limitation.

KFD2-RSH-1.2D.FL2

The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 60 V DC and the 24 V DC control circuit.

KFD2-RSH-1.2D.FL3

The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 230 V AC and the 24 V DC control circuit.

2.2 Interfaces

The device has the following interfaces:

• Safety-relevant interfaces: input, output (DTS)

• Non-safety relevant interfaces: fault indication output

2.3 Marking

Note!

For corresponding connections see datasheet.

Pepperl+Fuchs GmbH
Lilienthalstraße 200, 68307 Mannheim, Germany

Internet: www.pepperl-fuchs.com

KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3 Up to SIL 3 and PL e

2018-06

8

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Product Description

2.4 Standards and Directives for Functional Safe

Device-specific standards and directives

Functional safety IEC/EN 61508, part 1 – 2, edition 2010:

Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)

Machinery Directive
2006/42/EC

• EN/ISO 13849, part 1, edition 2015:
Safety-related parts of control systems (manufacturer)

• IEC 62061, edition 2005 + A1:2012 + A2:2015
EN 62061, edition 2005 + Cor. 2010 + A1:2013 + A2:2015:

Safety of machinery – Functional safety of safety-related

electrical, electronic and programmable electronic control
systems

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Planning

2018-06

9

3 Planning

3.1 System Structure

3.1.1 Low Demand Mode of Operation

If there are two control loops, one for the standard operation and another one for the functional
safety, then usually the demand rate for the safety loop is assumed to be less than once per
year.

The relevant safety parameters to be verified are:

•the PFD

avg

value (average Probability of dangerous Failure on Demand) and the

T

1

value (proof test interval that has a direct impact on the PFD

avg

value)

• the SFF value (Safe Failure Fraction)

• the HFT architecture (Hardware Fault Tolerance)

3.1.2 High Demand or Continuous Mode of Operation

If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher than once
per year.

The relevant safety parameters to be verified are:

•the PFH value (Probability of dangerous Failure per Hour)

• Fault reaction time of the safety system

• the SFF value (Safe Failure Fraction)

• the HFT architecture (Hardware Fault Tolerance)

3.1.3 Safe Failure Fraction

The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.

SFF = (

s

+ dd) / (s + dd + du)

A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but is
not regarded as a complete element or subsystem.

For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction of
elements, subsystems and the complete system, but not of a single device.

Nevertheless the SFF of the device is given in this document for reference.

2018-06

10

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Planning

3.2 Assumptions

The following assumptions have been made during the FMEDA:

• Failure rates are constant, wear is not considered.

• Failure rate based on the Siemens standard SN29500.

• The safety-related device is considered to be of type A device with a hardware fault
tolerance of 0.

• The device will be used under average industrial ambient conditions comparable to the
classification "stationary mounted" according to MIL-HDBK-217F.

Alternatively, operating stress conditions typical of an industrial field environment similar to

IEC/EN 60654-1 Class C with an average temperature over a long period of time of 40 ºC
may be assumed. For a higher average temperature of 60 ºC, the failure rates must be

multiplied by a factor of 2.5 based on experience. A similar factor must be used if frequent
temperature fluctuations are expected.The nominal voltage at the digital input is 24 V.
Ensure that the nominal voltage do not exceed 26.4 V under all operating conditions.

• The DO card must be able to supply a signal current of at least 100 mA.

• Observe for the high demand mode the useful lifetime limitations of the output relays.

• The relay contacts must be protected against overcurrent with a suitable current limitation.
For this purpose, either the internal fuse or an external current limitation with the same limit
values must be used.

SIL 3 application

• The device shall claim less than 10 % of the total failure rate for a SIL 3 safety loop.

• For a SIL 3 application operating in low demand mode the total PFD

avg

value of the

SIF (Safety Instrumented Function) should be smaller than 10

-3

, hence the maximum

allowable PFD

avg

value would then be 10-4.

• For a SIL 3 application operating in high demand mode the total PFH value of the
SIF should be smaller than 10

-7

per hour, hence the maximum allowable PFH value would

then be 10

-8

per hour.

• Since the safety loop has a hardware fault tolerance of 0 and it is a type A device, the
SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.

SILCL and PL application

• The device was qualified for use in safety functions acc. to IEC/EN 62061 and
EN/ISO 13849-1. The device fulfils the requirements for a SILCL of SIL 3 acc. to
IEC/EN 62061 and due to the equivalency between these standards PL e acc. to
EN/ISO 13849-1.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Planning

2018-06

11

3.3 Safety Function and Safe State

Safety Function

Whenever the input of the device is de-energized, the DTS output is not conducting.

Safe State

In the safe state of the safety function the DTS output is open (non-conducting).

Reaction Time

The reaction time is < 2 s.

2018-06

12

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Planning

3.4 Characteristic Safety Values

The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken from the
FMEDA report. Observe that PFD and T

1

are related to each other.

The function of the devices has to be checked within the proof test interval (T

1

).

Parameters Characteristic values

Assessment type and documentation Full assessment

Device type A

Mode of operation Low demand mode or high demand mode

Safety function Output is de-energized (DTS, de-energized to safe)

HFT 0

SIL (SC) 3

SILCL 3

PL e



s

1

1

"No effect failures" are not influencing the safety function and are therefore not included in SFF and in the failure rates of the safety
function.

453 FIT



dd

0 FIT



du

2

2

While the diagnostic function is signaling the dangerous failure of one relay, the other two redundant relays continue to provide the
safety function. Exceptions are common cause failures that disrupt all three relays. While the diagnostic function is signaling the
failure, the probability of a dangerous undetected failure for the remaining two relays is increasing to 2.0 FIT.

0.86 FIT



total (safety function)

1

454 FIT



total

1735 FIT

SFF

1

99.8 %

MTBF

3

3

acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. The value is calculated for one
safety function of the device.

66 years

MTTF

d

1115 years (high)

DC

avg

4

4

Enable the internal fault detection to achieve a diagnostic coverage of 95.3 %. See chapter 5.1.

95.3 %

PTC 95.3 %

PFH 8.55 x 10

-10

1/h

PFD

avg

for T1 = 1 year

5

5

Since the current PTC value is < 100 % and therefore the probability of failure will increase, calculate the PFD value according to the
following formula:
PFD

avg

= (du / 2) x (PTC x T

1

+ (1 – PTC) x T

service

)

A service time T

service

of 10 years was assumed for the calculation of PFD

avg

.

5.36 x 10

-6

PFD

avg

for T1 = 2 years

4

8.95 x 10

-6

PFD

avg

for T1 = 3 years

4

1.25 x 10

-5

Reaction time

6

6

Time between fault detection and fault reaction.

<2s

Table 3.1

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Planning

2018-06

13

3.5 Useful Lifetime

Although a constant failure rate is assumed by the probabilistic estimation this only applies
provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime,
the result of the probabilistic estimation is meaningless as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on the component itself and its

operating conditions – temperature in particular. For example, the electrolytic capacitors can

be very sensitive to the operating temperature.

This assumption of a constant failure rate is based on the bathtub curve, which shows
the typical behavior for electronic components.

Therefore it is obvious that failure calculation is only valid for components that have this
constant domain and that the validity of the calculation is limited to the useful lifetime of each
component.

It is assumed that early failures are detected to a huge percentage during the installation and
therefore the assumption of a constant failure rate during the useful lifetime is valid.

However, according to IEC/EN 61508-2, a useful lifetime, based on general experience,
should be assumed. Experience has shown that the useful lifetime often lies within a range
period of about 8 to 12 years.

As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the manufacturer
and plant operator can extend the useful lifetime.

Our experience has shown that the useful lifetime of a Pepperl+Fuchs product can be higher
if the ambient conditions support a long life time, for example if the ambient temperature is

significantly below 60 °C.

Please note that the useful lifetime refers to the (constant) failure rate of the device.
The effective life time can be higher.

Derating

For the safety application, reduce the number of switching cycles or the maximum current.
A derating to 2/3 of the maximum value is adequate.

Maximum Switching Power of Output Contacts

The useful lifetime is limited by the maximum switching cycles of the relays under load
conditions.

Note!

See corresponding datasheets for further information.

2018-06

14

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Mounting and Installation

4 Mounting and Installation

Mounting and Installing the Device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.

3. Observe the requirements for the safety loop.

4. Connect the device only to devices that are suitable for this safety application.

5. Check the safety function to ensure the expected output behavior.

4.1 Mounting

Tighten the terminal screws with a torque of 20 Nm.

4.2 Installation

To avoid contact welding we recommend using a serial fuse in the load circuit

The device is delivered with a replaceable fuse. Replace this fuse only with a fuse up to 5 AT.
Optionally use an unfused terminal with an external current limitation.

4.3 Configuration

Configuring the Device

The device is configured via DIP switches. The DIP switches are on the side of the device.

1. De-energize the device before configuring the device.

2. Remove the device.

3. Configure the device via the DIP switches.

4. Secure the DIP switches to prevent unintentional adjustments.

5. Mount the device.

6. Connect the device again.

Note!

The device configuration via DIP switches is not safety relevant.

Note!

See corresponding datasheets for further information.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Mounting and Installation

2018-06

15

4.3.1 Output Configuration

Switch Line fault detection Internal fault detection

S1 S2

Off Off disabled disabled

On Off enabled disabled

Off On not used

On On enabled enabled

Table 4.1

2018-06

16

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

5Operation

Operating the device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.

3. Use the device only with devices that are suitable for this safety application.

4. Correct any occurring safe failures within 8 hours. Take measures to maintain the safety
function while the device is being repaired.

Danger!

Danger to life from missing safety function

If the safety loop is put out of service, the safety function is no longer guaranteed.

• Do not deactivate the device.

• Do not bypass the safety function.

• Do not repair, modify, or manipulate the device.

Danger!

Danger to life from faulty or missing fuse protection of the relay contacts

Faulty or missing fuse protection of the relay contacts can compromise the safety function and
the electrical safety of the device.

• Protect the relay contacts with a suitable current limitation against overcurrent.

• Use the internal fuse for protection.

• If you do not use the internal fuse, use an external current limitation with the same limit
values.

Warning!

Risk of burns from hot surface

Touching the hot surface of the device can result in burns.

• Do not touch the hot surface of the device.

• Let the device surface cool down before touching the device.

• Do not cover the warning marking on the device. Do not remove the warning marking from
the device.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

2018-06

17

5.1 Internal Diagnosis

With enabled internal fault detection a diagnostic coverage of 95.3 % is achieved. Monitor one
of the 4 possible ways of fault detection:

• Input impedance change

1

• Fault indication output

• Collective error message output

• LED indication

The device has three output relays. Therefore, three switching operations are necessary to
ensure a complete diagnosis. You have 2 options to achieve the diagnostic coverage,
see step 2 or 3.

Internal Diagnosis Procedure

1. Enable the internal fault detection. See chapter 4.3.1.

2. Switch on the output manually three times.
or
Observe whether the output switches on three times during the normal operation.

3. Check the output function at periodic intervals. Switch on the output at least three times a
year as described in the steps 1 to 3.

1

In this case only use a safety PLC with digital output and line fault detection.

Note!

Maintain a distance of at least 2 s between the switching processes.

2018-06

18

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

5.2 Proof Test Procedure

According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal potential
dangerous failures that are not detected otherwise.

Check the function of the subsystem at periodic intervals depending on the applied PFD

avg

in

accordance with the characteristic safety values. See chapter 3.4.

It is under the responsibility of the plant operator to define the type of proof test and the interval
time period.

Conditions

If the conditions are met, you can also check the device in the application.

Proof Test Procedure

1. Enable the internal fault detection and the line fault detection. See chapter 4.3.1.

2. Check the device as shown in the following tables.

3. After check reset the device to the necessary settings.

4. Check the correct behavior of the safety loop. Is the configuration correct?

KFD2-RSH-1.2D.FL2 KFD2-RSH-1.2D.FL3

Load power supply > 5 V DC > 35.5 V AC

Device power supply (LED
PWR is on)

24 V DC 24 V DC

Load 13.2  <R<7.3k 39.2  <R<45k

Current through load 14mA<I<1.9A 13.5 mA AC < I < 4.9 A AC

Table 5.1

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

2018-06

19

Only if all tests are successfully done, the proof test is successful.

Test No. Input Output

1 V = 0 V DC between terminals 7+ and 8-

2 Wait at least 2 seconds. • LED OUT is off.

• LED FLT is off

1

.

3 V = 24 V DC between terminals 7+ and 8-

4 Wait at least 2 seconds. • LED OUT is on.

• LED FLT is off

1

.

5 V = 0 V DC between terminals 7+ and 8-

6 Wait at least 2 seconds. • LED OUT is off.

• LED FLT is off

1

.

7 V = 24 V DC between terminals 7+ and 8-

8 Wait at least 2 seconds. • LED OUT is on.

• LED FLT is off

1

.

9 V = 0 V DC between terminals 7+ and 8-

10 Wait at least 2 seconds. • LED OUT is off.

• LED FLT is off

1

.

11 V = 24 V DC between terminals 7+ and 8-

12 Wait at least 2 seconds. • LED OUT is on.

• LED FLT is off

1

.

Table 5.2 Expected test results for the proof test

1

When the FLT LED flashes, a line fault is present. Check whether the supply voltage and the connected load are in the OK area of the
line fault detection.
When the FLT LED is lit continuously, an internal fault is present. Reset the internal fault by interrupting the power supply (terminals
14+/15-).

2018-06

20

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

5.3 Application Examples

5.3.1 Standard Application for Dual Pole Switching

For a switching application, the device has to be attached to the process control system and
the load the following way.

Figure 5.1 Standard application for dual pole switching

In the standard application, the process control system is connected to terminals 7+ and 8-.
The line fault transparency (LFT) of the safety relay must be compatible with the line fault
detection of the process control system output. Terminals 10 and 11 can be used as fault
indication output to the process control system.

The characteristic safety values valid for the standard application can be found in Table 3.1.

KFD2-RSH-1.2D.FL2

7+

8-

10

11

Zone 2

24 V DC

14+
15-

Power Rail

24 V DCFaul t

V

4+

5+

6

3

2-

DTS

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Operation

2018-06

21

5.3.2 Application with Fault Indication Output in the Signal Loop of the Dual
Pole Switching

Some process control systems are not working with test pulses or with specific test pulses that
do not recognize the impedance change of the device output signaling a line fault. Where the
output of the process control system can detect an open circuit in the signal loop, the fault
indication output of the device may be put in series to the input. See figure.

Figure 5.2 Application with fault indication output in the signal loop of the dual pole switching

If the fault indication output is open, the output relay contacts cannot be enabled. But as the
fault is detected by the process control system a suitable reaction can be planned. The user
must ensure that a suitable reaction on this detected fault is implemented.

For this application, the characteristic safety values are the same. The characteristic safety
values can be found in Table 3.1.

KFD2-RSH-1.2D.FL2

7+

8-

10

11

Zone 2

24 V DC

14+
15-

Power Rail

24 V DCFaul t

V

4+

5+

6

3

2-

DTS

2018-06

22

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

Maintenance and Repair

6 Maintenance and Repair

Maintaining, Repairing or Replacing the Device

In case of maintenance, repair or replacement of the device, proceed as follows:

1. Implement appropriate maintenance procedures for regular maintenance of the safety loop.

2. Ensure the proper function of the safety loop, while the device is maintained, repaired or
replaced.
If the safety loop does not work without the device, shut down the application. Do not
restart the application without taking proper precautions.
Secure the application against accidental restart.

3. Do not repair a defective device. A defective device must only be repaired by the
manufacturer.

4. Replace a defective device only by a device of the same type.

Danger!

Danger to life from missing safety function

If the safety loop is put out of service, the safety function is no longer guaranteed.

• Do not deactivate the device.

• Do not bypass the safety function.

• Do not repair, modify, or manipulate the device.

Warning!

Risk of burns from hot surface

Touching the hot surface of the device can result in burns.

• Do not touch the hot surface of the device.

• Let the device surface cool down before touching the device.

• Do not cover the warning marking on the device. Do not remove the warning marking from
the device.

Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3

List of Abbreviations

2018-06

23

7 List of Abbreviations

ESD Emergency Shutdown

FIT Failure In Time in 10

-9

1/h

FMEDA Failure Mode, Effects, and Diagnostics Analysis



s

Probability of safe failure



dd

Probability of dangerous detected failure



du

Probability of dangerous undetected failure



no effect

Probability of failures of components in the safety loop that have no effect on the safety
function. The no effect failure is not used for calculation of SFF.



not part

Probability of failure of components that are not in the safety loop



total (safety function)

Probability of failure of components that are in the safety loop

HFT Hardware Fault Tolerance

MTBF Mean Time Between Failures

MTTR Mean Time To Restoration

PCS Process Control System

PFD

avg

Average Probability of dangerous Failure on Demand

PFH Average frequency of dangerous failure

PLC Programmable Logic Controller

PTC Proof Test Coverage

SFF Safe Failure Fraction

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIL (SC) Safety Integrity Level (Systematic Capability)

SIS Safety Instrumented System

T

1

Proof Test Interval

T

service

Time from start of operation to putting the device out of service

DTS De-energized To Safe (sicherheitsgerichtetes Abschalten)

ETS Energized To Safe (sicherheitsgerichtetes Anschalten)

B

10d

Number of switching cycles until 10 % of the components fail dangerously

DC Diagnostic Coverage of dangerous faults

MTTF

d

Mean Time To dangerous Failure

PL Performance Level

SILCL SIL Claim Limit (for a subsystem)

Subject to modifications
Copyright PEPPERL+FUCHS • Printed in Germany

www.pepperl-fuchs.com

Worldwide Headquarters

Pepperl+Fuchs GmbH
68307 Mannheim · Germany
Tel. +49 621 776-0
E-mail: info@de.pepperl-fuchs.com

For the Pepperl+Fuchs representative
closest to you check www.pepperl-fuchs.com/contact

PROCESS AUTOMATION –
PROTECTING YOUR PROCESS

DOCT-5815B

06/2018