TJ01 JK VD IC0100004 IS1 - Code 4

N.
Surname
Doc. Title: Safety Validation Plan Page 2 of 46
Doc. No. TJ01-JK-VD-IC0100004 Doc. Rev. 1.1
REVISION DETAILS
Revision History of this Project Document

Date
Rev. Section Description
(MM/DD/YY)
A.0 07/02/19 All Issued for Approval
(3.3.2, 3.4.5, 3.4.6, 3.4.7, 3.4.10, 3.4.11,
A.1 07/08/19 Issued for Approval
3.4.12, 3.4.13, 3.5, & 4.2.4)
A.2 07/12/19 (3.4.13, 3.5, & 4.4.2) Issued for Approval
A 07/15/19 - Issued for Approval
0 07/25/19 - Issued for Approval
(1.2.2, 3.3.2, 3.4.1, 3.4.2, 3.4.3,3.4.4, 3.4.5,
1.0 11/12/19 3.4.6, 3.4.7, 3.4.9, 3.4.10, 3.4.12, 3.5, 4.4.1 Issued After FAT
& 4.4.2)
1.1 01/10/20 Appendix I – SIF#16 Issued After FAT
Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

Table of Contents
1 Introduction.................................................................................................................... 5
1.1 Purpose and Scope ................................................................................................... 5
1.2 Reference Documents ............................................................................................... 5
1.2.1 General ............................................................................................................... 5
1.2.2 Tecnimont & JGC Joint Venture (TJJV) .............................................................. 5
1.2.3 Yokogawa ........................................................................................................... 6
1.3 Definitions and Abbreviations .................................................................................... 7
1.4 Product certificate for ProSafe-RS ............................................................................. 9
1.5 Hold List .................................................................................................................. 10
2 Functional Safety Management .................................................................................. 11
2.1 Introduction ............................................................................................................. 11
2.2 The Safety Life Cycle .............................................................................................. 11
2.3 Safety Verification, Assessment and Validation ....................................................... 13
2.3.1 Introduction ....................................................................................................... 13
2.3.2 Verification ........................................................................................................ 13
2.3.3 Functional Safety Assessment .......................................................................... 13
2.3.4 Validation .......................................................................................................... 13
2.4 Systematic safety integrity ....................................................................................... 14
2.5 Reliability Calculations............................................................................................. 14
2.6 Responsibilities ....................................................................................................... 14
2.7 Operation and Maintenance .................................................................................... 14
2.8 Modifications ........................................................................................................... 14
2.9 TÜV Certification ..................................................................................................... 15
3 Safety Requirements - Safe Solutions ....................................................................... 16
3.1 Introduction ............................................................................................................. 16
3.2 Safety Requirement Specification............................................................................ 16
3.3 System Design ........................................................................................................ 16
3.3.1 System Overview .............................................................................................. 16
3.3.2 Design Principles .............................................................................................. 17
3.4 Requirements versus Solutions ............................................................................... 18
3.4.1 Safety Instrumented Functions/Loops ............................................................... 18
3.4.2 Safety Parameters ............................................................................................ 18
3.4.3 Safety Related Parameters ............................................................................... 19
3.4.4 Segregation ...................................................................................................... 20
3.4.5 Sensors ............................................................................................................ 21

3.4.6 Input Field Interfaces ........................................................................................ 21

3.4.7 LS Input Channels ............................................................................................ 22
3.4.8 Logic Solver(s) .................................................................................................. 22
3.4.9 LS Output Channels.......................................................................................... 23
3.4.10 Output Field Interfaces................................................................................... 24
3.4.11 Final Elements ............................................................................................... 25
3.4.12 Overrides and Inhibits .................................................................................... 26
3.4.13 Environment .................................................................................................. 27
3.4.14 Communication Interfaces ............................................................................. 28
3.4.15 Application Programming ............................................................................... 28
3.4.16 Security ......................................................................................................... 29
3.5 Safety Architecture .................................................................................................. 30
4 Safety Assessment Notes for the ESD system .......................................................... 39
4.1 Introduction ............................................................................................................. 39
4.2 Safety Architecture .................................................................................................. 40
4.2.1 Sensors ............................................................................................................ 40
4.2.3 Logic Solver including Input and Output channels ............................................. 41
4.2.4 Output Field Interfaces ...................................................................................... 41
4.2.5 Final Elements .................................................................................................. 41
4.3 Systematic Capability .............................................................................................. 41
4.3.1 Sensors ............................................................................................................ 41
4.3.3 Logic Solver including Input and Output channels ............................................. 41
4.3.4 Output Field Interfaces ...................................................................................... 42
4.3.5 Final Elements .................................................................................................. 42
4.4 Reliability Calculations............................................................................................. 42
4.4.1 Scope ............................................................................................................... 42
4.4.2 Results.............................................................................................................. 43
5 Miscellaneous .............................................................................................................. 44
6 Modifications ............................................................................................................... 44
End of document ................................................................................................................ 44
Appendix I Reliability Calculations

Appendix II Safety Certificates and Safety Manuals

1 Introduction
1.1 Purpose and Scope
This document describes the principal activities in the life cycle of the project to be executed by
Yokogawa relating to the verification and validation of the functional safety and safety integrity of the
Safety Instrumented System. The two objectives of this document are firstly to support that the Safety
Instrumented System(s) is realised according to the safety regulations as per international standards IEC
61508 and IEC 61511, and secondly to verify that the required safety integrity level is achieved.
Section 2 describes briefly the verification and validation process of the SIS.
Section 3 contains an analysis of the requirements on the SIS.
Section 4 contains an assessment of the safety functions.
This document has been prepared by Yokogawa with the assistance and approval of an independent
functional safety assessor appointed by GM604-GB. This assessor is responsible for internal safety
validation.
Although not being part of Yokogawa’s scope and responsibility, inconsistencies and deficiencies
within client’s safety requirements will be recorded in this SVP as far as they can be identified. It is
Yokogawa’s policy to present these at an early stage.
This SVP is a so-called lifecycle document, meaning that later (site) modifications might necessitate
the update of this document (IEC: “back to the appropriate phase”).
1.2 Reference Documents
1.2.1 General
IEC 61508 Functional safety of E/E/PES safety related systems (Edition -2)
IEC 61511 Safety Instrumented Systems for the process industry (Edition -2)
ISO 9001 Quality management
TJ01-JK-VD-PQ-0100001_Rev0 Project quality Plan
TJ01-JK-VD-PP0100003_Rev-0 Project Execution Plan
1.2.2 Tecnimont & JGC Joint Venture (TJJV)

Safety Requirement Specification, comprising:
[a] Application logic diagram, document no; A4-JGS1EP-EPC3-E00-DD-70-620_Rev 1
[b] ESD Technical Specification, document no; A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0
[c] Safety Requirement Specification, document no; A4-JGS1EP-EPC3-E00-ES-70-601_Rev 0
[d] SIF Reliability Calculations, document no; A4-JGS1EP-EPC3-E00-CS-70-601_Rev 0
[e] DCS/ESD Software Freezing Meeting MOM (MOM-TJJV-JGS-YOK-0001 & MOM-TJJV-
YOK-0001)
[f] DCS/ESD Kick off meeting MOM (MOM-TJJV-YOK-0001)
[g] PE3 DCS & ESD point configuration database, document no; A3-JGS1EP-EPC3-E00-IN-70-
611/621_Rev 2
[h] PE3 Plant Tag Assignment, document no; A4-JGS1EP-EPC3-E00-IN-70-620_Rev 0
[i] Hardware RFI Reply; TJJV-YIL-ESD HW-RFI005_reply
[j] Hardware RFI Reply; TJJV-YIL-ESD HW-RFI002_Wiring-TA-LM-TJJV reply for DO line
monitoring

1.2.3 Yokogawa
ProSafe-RS Safety Manual (IM32P01S10-01EN (5))
ProSafe-RS Engineering guide Vol. 1 (IM32P01C10-01EN(5))
ProSafe-RS Engineering guide Vol. 2 (IM32P01C20-01EN(5))
ProSafe-RS Installation Guidance (TI32P01J10-01EN (8))
Functional Design Specification Hardware - TJ01-JK-VD-IS0100003_Rev-A submitted on 26-Apr-
2019
Functional Design Specification Software - TJ01-JK-VD-IS0100004_Rev_A submitted on 26-Apr-
2019
Installation, Operation & Maintenance of Manuals - TJ01-JK-VD-OM0100001 IOM
FAT Test Report - TJ01-JK-VD-MB0100002.

1.3 Definitions and Abbreviations

AI : Analog Input
BPCS : Basic Process Control System
DCS : Distributed Control System
DoC (FS) : Declaration of Conformance for Functional Safety
DI : Digital Input
DO : Digital Output
ESD : Emergency Shut Down
FAT : Factory Acceptance Test
FBD : Function Block Diagram
FDS : Functional Design Specification
FGS : Fire and Gas System
FSAC : Functional Safety Assessment Check sheet
FSM : Functional Safety Management
GM604-GB : Yokogawa GM604 Governance Board
HART : Highway Addressable remote transducer
HAZOP : Hazard and Operability study
HFT : Hardware Fault Tolerance
HMI : Human Machine Interface
IC : Instructions for Commissioning
IHI : Instructions for Handling and Installation
IOM : Instructions for Operation and Maintenance
JGSPC : JG Summit Petrochemical Corporation
LS : Logic Solver
MOS : Maintenance Override Switch
MTTR : Mean Time To Repair
MTBF : Mean Time Between Failure
n.a. : Not applicable
n.s. : Not specified
PSMT : Procedure for Site Modification and Test
RSV : ProSafe-RS Safety Verifier
Safety Assurance group, Yokogawa’s independent
SA group : group of Functional Safety specialists, residing at Yokogawa in the
Netherlands
SC : Systematic Capability
SFF : Safe Failure Fraction

SIF : Safety Instrumented Function

SIL : Safety Integrity Level
SIS : Safety Instrumented System
SRS : Safety Requirements Specification
SVP : Safety Validation Plan
TJJV : Tecnimont & JGC Joint Venture

1.4 Product certificate for ProSafe-RS

ProSafe-RS is certified by TÜV to be used in applications up to and including SIL3 (IEC 61508)
Figure 1: TÜV certificate for ProSafe-RS

1.5 Hold List
Hold No. Subject Reason

2 Functional Safety Management
2.1 Introduction
The main requirement with respect to Functional Safety Management (FSM) is to assure the execution
of all steps of the lifecycle and to record this, so that it can be verified and audited at any time.
Considering that the IEC 61508 and 61511 standards are internationally accepted in industrial safety
nowadays, Yokogawa integrated the standards into the ISO 9001 quality system, which is subject to a
periodical audit by Lloyd’s. The result of this integration is the Quality management system (QMS) that
includes an FSM system in accordance with the standards IEC 61508 and 61511.
2.2 The Safety Life Cycle

Requirements on the realisation of safety instrumented systems are given in IEC 61508 part 2 and IEC
61511 Clauses 11, 12 and 13.
Being a system integrator of industrial safety systems, these sections are of most interest for Yokogawa.
The needed steps are included in the Yokogawa safety lifecycle model as illustrated in figure 2. This
figure presents how Yokogawa has implemented this realisation phase into the organisation.
Verification of all steps is done, enabling a continuous monitoring of working practices.
Figure 2: E/E/PE safety lifecycle in realization phase (source: IEC 61508-1 Ed.2 fig. 3)

Safety rela ted de live rables
Client’s
08-1:6, 7.1 08-1:7.18 08-1:7.8-14, 8
Safety Requir ements Specifica tion
08-2:6, 7.1 08-2:7.9 08-2:7.7, 8
11-1:5, 6 11-1:7 11-1:15
MoM sales
Pro ject Initi atio n
han dover
Ver ification checkli st SS1
FSAC
Review *****
FDS
08-2:7.1/2/3/4 BOM
Basic Design 11-1:11, 12
Ver ification checklist SS2
*****
Review IOM
Testpro c’s
08-2:7.4/6 SVP
Detailed Desi gn 11-1:11, 12.3
Functio nal Safety Ma nagemen t
Functio nal Safety Assessment

FSAC
Back to appro priate phase
Review
08-2:7.5
Imp lementatio n 11-1:12.4
Review
Punchl ist
08-1:7.18, 08-2:7.9 Testrecord s
Inte rnal Te st 11-1:12.5
Review DoC
Pun chl ist
08-2:7.7 FAT re port
Acceptance Test (FAT) 11-1:13
Vali dation checklist SS6
FSAC
Review
Pro ject Clo se Ou t
checklist SS7
08 = IEC 615 08
11 = IEC 615 11
-x = Par t
:y.z = Clause.subclause
**** = various documents
Figure 3: Yokogawa’s implementation of the realisation phase of the safety lifecycle
The steps to be taken for the realisation of the project are derived directly from the standards. Following
figure 2, the (Basic) Design phase is of most interest. Here the Safety Validation Plan (SVP) will be
produced, (this document) which is a comparison between the design and the Safety Requirement
Specification (SRS) including a quantitative assessment, at an early stage.
The outputs (deliverables) of the realisation steps are called living documents. This means that, when
needed, these documents will be updated/revised after any verification (review). After validation the
documents are considered as being final.

2.3 Safety Verification, Assessment and Validation
2.3.1 Introduction
In accordance with the procedures in the Quality System, safety verification will be an on-going process
to fulfil the functional safety requirements during the realisation phase of the project. The Safety
Instrumented System (SIS) consists of one or more so-called Safety Instrumented Functions (SIFs). A
calculation tool (RSV) is used to verify the required Safety Integrity Level(s) (SILs). The results are
presented in Appendix I of this document: Reliability Calculations results. Normal practice at
Yokogawa is to assess a worst-case selection of the SIFs, at least one SIF per SIL requirement and per
application.
2.3.2 Verification
Verification will be done by means of document review, visual inspection and system tests. At the end
of each project phase a review on deliverables and/or phase-related tests will be carried out. Applicable
GES DRCs and phase gate check sheets will used for document reviews and project phase reviews.
Verification will be done by a person independent from designer / originator. Details of applicable
DRCs and Phase gate check sheets in each phase of the safety lifecycle are referenced in the local FSM
procedures. For document review a review log will be kept. Applicable Test Specifications and/or
checklists will be used to verify whether the system(s) complies/comply with the design documents.
2.3.3 Functional Safety Assessment

During the realisation of the safety related system usually two safety assessments will be carried out by
a functional safety assessor, one after the design phase and one after the FAT. Details depend on the
project phase and are defined in the check sheet FSAC. When a check fails, it will be documented in
the check sheet. The functional safety assessor will verify the solution of the item during his next
assessment.
2.3.4 Validation
The Test procedures combined with applicable test records, and/or checklists will be used to
demonstrate the functioning of the system is in accordance with the customer requirement
specifications. After the FAT the functional safety assessor carries out a validation assessment to ensure
that the system is engineered and tested in accordance with the Quality System and the IEC
requirements. At that time, when all outstanding items have been cleared, the FSAC will be signed by
the Lead or Project Engineer and the Project Manager and countersigned by the functional safety
assessor. Together with the approved SVP including the reliability calculations, this will be the basis on
which the Declaration of Conformance of Functional Safety (DoC(FS)) will be issued. This DoC(FS)
will be valid during the life cycle of the system on the condition that the operation and maintenance of
the system will be in accordance with the required procedures.
The functional safety assessor is appointed by the GM604-GB and operates independently (which is
highly recommended by the IEC 61508 and 61511 standards) from the project execution departments.

2.4 Systematic safety integrity

In IEC 61508 Ed 2 several ways are defined to achieve systematic safety integrity.
Yokogawa will apply Route 1S: avoidance of systematic faults and control of systematic faults.
Yokogawa has their Functional Safety Management system in accordance with the requirements of IEC
61508 and IEC 61511. As such the Yokogawa organisation has a Systematic Capability 3 as per IEC
61508, part 2, 7.4.3.
2.5 Reliability Calculations

As mentioned before, reliability calculations are part of the functional safety assessment. Yokogawa
uses the ProSafe-RS Safety Verifier (RSV) to assess the safety integrity level(s) and availability of the
system. The reliability report provides among others the following assessment results:
The average probability of a dangerous failure on demand: PFDavg

The Mean Time Between Failures: MTBF
The system (operational) Availability: A
The calculation takes place during the design phase. When necessary, the calculation will be repeated
and presented in the re-issued SVP at the next project phases.
2.6 Responsibilities
After delivery the system must be installed and commissioned, after which it can be operated. Operation
and maintenance is the end-user’s responsibility. Yokogawa instructions to be concerned for these
activities are referred to in 1.2.3.
De-commissioning will not be Yokogawa’s responsibility.
2.7 Operation and Maintenance

Yokogawa provides the combined document: Instructions for Operation and Maintenance (IOM). This
document provides typical maintenance override and system information. The IOM can be used by the
client to develop plant maintenance and proof testing procedures required to maintain the SIL.
The maintenance activities and proof testing shall be executed by safety competent personnel.
2.8 Modifications
For the execution of modifications Yokogawa provides the document: Procedure for Site Modifications
and Test (PSMT). The execution of modifications shall be by safety trained and skilled engineers. Safety
validation must be done after implementation and testing of the modification on site.

2.9 TÜV Certification

Yokogawa’s Governance Board (GM604) has appointed several local Yokogawa Offices worldwide
for execution of safety projects. These offices are therefore obliged to have their Local Functional Safety
Management System in accordance with IEC 61511 and IEC 61508.
On top of that several offices have applied for individual certification by TÜV Rheinland for having
their Functional Safety Management system in accordance with IEC 61511 and IEC 61508:
• Yokogawa Europe Solutions B.V, The Netherlands
• Yokogawa Romania Bucharest
• Yokogawa Industrial Safety Systems SDN. BHD., Malaysia
• Yokogawa India Ltd, Bangalore
• Yokogawa Engineering Asia Pte Ltd, Singapore
• Yokogawa Middle East & Africa B.S.C. (c), Kingdom of Bahrain
• Yokogawa Corporation of America
Information can be found on the TÜV Rheinland website:

https://www.tuv.com/world/en/functional-safety-management-certification.html
Sample Certification
Figure 4: Example of a TÜV FSM certificate

3 Safety Requirements - Safe Solutions
3.1 Introduction
The verification of the system design is carried out by comparing it with the safety requirements, as
explained before. The comparison is based on splitting up the safety requirements into a number of
significant items, such as SIFs, their integrity levels, safety related interfaces, etc., which is presented
in section 3.4.
3.2 Safety Requirement Specification

Target SIL for each SIF’s are identified based on SRS (refer section 1.2.2, [d]) and SIL Report (refer
section 1.2.2, [a]) for the ESD system. Yokogawa has calculated the achieved SIL and meets the target
SIL, refer to the table of the below section 4.4.2.
3.3 System Design
3.3.1 System Overview

This JG Summit Stage 1 Expansion Project by JG Summit Petrochemical Corporation (JGSPC) is for
the implementation of a new High-Density Polyethylene unit (HDPE). The units will be located 120 km
south of Manila, in Batangas City, Philippines.
Yokogawa will deliver the Centum VP (R6.06) Distributed Control System (DCS) and ProSafe-RS
(R4.04) Emergency Shutdown System (ESD) for Tecnimont & JGC Joint Venture (TJJV).
The ESD system consists of the following stations Cabinets:
System Cabinet
SCS Number Unit Unit Description
Number
10 Catalyst Activation
20 Feedstock Preparation
30 Reactor Catalyst Preparation
SCS0307 PE3-ES-001
40 Reactor Common
41 Reactor A
42 Reactor B
50 Degassing and INRU
SCS0308 60 Fluff and Extrusion PE3-ES-002
80 ISBL Utilities

PE3 - Plant (Domain-03)
SENG
Bus1 Bus2
Bus1
Bus2
Prosafe-Rs Prosafe-Rs
SCS0307 SCS0308
Centum VP
FCS0301
Field IO’s: Field IO’s:

(DI’s, AI’s and (DI’s, AI’s and
DO’s) DO’s)
Figure 5: System configuration
3.3.2 Design Principles

The system consists of ESD & DCS. ESD shutdown logics are configured in ProSafe RS system. DCS
system configured for HMI interface & other Process control logics. To increase the availability level
for the ESD system dual configuration of CPU & I/O modules are used. For more detail information
refer to the ProSafe RS Engineering guide.
• ESD System is designed on the De-Energised to Safe Principal, except One SOV which is
consider as Energise to Safe as per the RFI TJJV-YIL-ESD HW-RFI005_reply.
• System Power supplies are redundant to reduce spurious trips.
• All DI-IS signals are considered with Barriers.
• All DI-IS signals are NAMUR sensors.
• Safety Relays used as interface devices for all DO signals.
• User Defined Function blocks are used for Application program development.
• The application program is developed using FBD.
• Override applicable for only AI signals. Password (Two level- Supervisor & Operator
Passwords) from HMI are required to enable the MOS.
• Security Key switch per controller is configured for handling unauthorized application
modifications.
Further detailed information on the system is given in the FDS.

3.4 Requirements versus Solutions
Sensor sub-system of SIS Logic solver Final Element sub-system of SIS
3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 3.4.10 3.4.11
Sensor(s) Input LS Input LS LS Output Output Final
Field Interface Channel Channel Field Interface Element(s)
Model to clarify the used terms
3.4.1 Safety Instrumented Functions/Loops
Requirement Solution
The following Safety Instrumented Functions (SIFs) See section 4.4 for the PFDavg calculation result.
are specified: Based on the Safety Requirement Specification,
Yokogawa grouped the similar types of SIF loops
From the Safety Requirement Specification, into 16 typical SIFs in this SVP for calculations.
document no; A4-JGS1EP-EPC3-E00-ES-70- Refer Table under section 3.5.
601_Rev 0.
calculations are done and verified that Target SIL
meets the achieved SIL. Refer section 4.4.2 in this
document.
3.4.2 Safety Parameters
SIF See section 4.4 for the PFDavg calculation result.

SIL = 1,2,3 (Based on Safety Requirement
Specification, document no; A4-JGS1EP-EPC3- The ProSafe-RS is certified by TÜV Rheinland for
E00-ES-70-601_Rev 0). Refer table from annexure use in applications up to and including SIL3
I for more details according IEC 61508. See 1.3.4.
Proof test interval T = 1 year.

Refer A4-JGS1EP-EPC3-E00-ES-70-601_Rev 0 Proof test interval of 1 years for logic solver is used
Sec:6.2 Sheet 13 of 23, (Safety Requirement for calculation.
Specification or SRS). Ti has been considered by
CONTRACTOR no less
than 1 year.
Overall System lifetime is assumed as 10 Years

System lifetime TL = n.s year

3.4.3 Safety Related Parameters
System availability A = 99.99 % See section 4.4 for the availability calculation result.
Refer A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0
Section 5.3.3 Sheet 9 of 28 (ESD TECHNICAL
SPECIFICATION).
MTTR = 8 hrs MTTR of 8 hours is used for calculation.

Sec:6.10 Sheet 20 of 23, (Safety Requirement
Specification or SRS). Any individual SIF is
designed with MTTR of 8 hours.
MTBF = n.s years MTBF=10 Years considered for calculation.
LS scan time = n.s msec The ProSafe-RS scan time is set to 300 msec
LS response time = n.s msec The ProSafe-RS response time (worst case) is twice
the scan time, being 2 X 300 = 600 msec
Process safety time = n.s msec Yokogawa is only responsible for the SIF response
time with respect to logic solver and interfaces.
However, this SIF response time is mostly
determined by the selection of the sensors and final
elements. It is client responsibility to check the SIF
response time with the inclusion of sensors and
valves against the process safety time.

3.4.4 Segregation
Functional separation: ESD system is segregated from BPCS.
Subsystems: n.a
BPCS: Yokogawa Centum VP is used as BPCS ESD system is a standalone system. 2 ESD
with Vnet/IP as communication mode controllers are applicable in PE-3 Plant.
Galvanic isolation: IO are segregated in terms of Analog and Digital.

I/O-groups: n.s SAI143-H: 4 to 20 mA inputs, 16 channels, module
isolation
SDV144: Non-voltage contact input, 16 channels,
module isolation
SDV541: 24 V DC output, 16 channels, module
isolation
I/O channels: n.s 2 kV AC between input signal and system. All input
lines of ProSafe-RS I/O modules are collective
isolated.
Power supplies: Yes Three voltage levels are applicable in this project.
Refer A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0 - 115VAC redundant UPS supply will be provided
(ESD TECHNICAL SPECIFICATION). by customer.
Section:5.2.2. The ESD Power supplies shall be - 230VAC Non-UPS supply will be provided by
115 VAC, 60 Hz, and single phase. customer.
Section:6.12.1. All output and input signals shall be - 24VDC Power supplies for all IS and Non-IS (DI,
24Vdc. Interposing relays will be used to energize DO) are in Yokogawa scope of supply.
or de-energize solenoid valves which are 115 VAC.

3.4.5 Sensors
Analogue: 4 – 20 mA (Non-IS) The sensors are not in the scope of supply and not
included in the safety assessment.
Digital: VFC, NO, and NC type switches (IS and
Non-IS)
Type transmitters: Level, Temperature, Pressure,

Vibration, Current, Flow
Safety architecture: 1oo1, 1oo2, 1oo3, 1oo6, 2oo2,

2oo3, & 2oo4. (Based on Safety Requirement
Specification, document no; A4-JGS1EP-EPC3-
E00-ES-70-601_Rev 0)
3.4.6 Input Field Interfaces
IS isolators/barriers: Yes IS type Digital inputs are used with P&F HIC
Refer PE3 DCS & ESD point configuration 2831R1.
database, document no, A3-JGS1EP-EPC3-E00-
IN-70-611/621_Rev 2
Intrinsic Safety barrier required for NAMUR type
DI signals.
Signal splitters: n.a No Signal Splitters are used.
HART interfaces: n.a

Analogue Input barriers used are HART Compatible.
Interposing relays: n.a

Interposing Relays are not used.
Line monitoring: Yes
Refer MOM-TJJV-YOK-0001(ESD Software
Freezing Meeting), Day 2 point no 5. Program Enable switch will be provided with line
Program enable switch requires line monitoring monitoring function. Line monitoring function not
status. considered for other DI tags.
Safety certificates and/or safety manuals of the

applied interfaces are included in Appendix II.

3.4.7 LS Input Channels
Analogue: 4 – 20 mA (Non-IS) ProSafe-RS SAI143-H is used as Analogue Input

card
Digital: NC type switches (IS and Non-IS) ProSafe-RS SDV144 is used as Digital Input Card
Line monitoring: Yes Line monitoring is enabled for Program Enable

Refer MOM-TJJV-YOK-0001(ESD Software switch by enabling Detect disconnection and Detect
Freezing Meeting), Day 2 point no 5. short circuit in IO Parameter. Line Monitoring is
Program enable switch requires line monitoring disabled for another DI.
status.
Fusing: Yes All Digital input (except IS Signals) shall have fuse
Refer A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0 type (WSI 6 -6720001279/1280) in +ve edge. -ve is
Section 6.4.2 Sheet 12 of 28 (ESD TECHNICAL connected with knife edge.
SPECIFICATION).
Terminal blocks for main power supplies, lighting,
output and input signals shall be provided with
fuses and blown fuse indicators or current limiting
devices where applicable.
3.4.8 Logic Solver(s)
Dual Inputs ProSafe-RS is used in a configuration with dual

Inputs, dual CPU and dual Outputs.
Dual CPU
The safety manuals of the ProSafe-RS are included in
Dual Outputs the Workbench installation package.

3.4.9 LS Output Channels
Power: 24 V DC ProSafe-RS SDV541 is used with relay as Digital

Output card
Lamp driver: n.a Lamp driver is not applicable
VFC: n.a Volt free contacts are not applicable.
Line monitoring: Yes Line monitoring is applicable for all DO up to relay

Refer TJJV-YIL-ESD HW-RFI002_Wiring-TA- coil only.
LM-TJJV reply for DO line monitoring. For MCC DO, Line monitoring is applicable up to
IRP Panel
For ETS DO, Line monitoring is applicable up to
Field (Line monitoring is done by relay with
additional DI as monitoring signal)
Fusing: Yes There is no direct output to field from the system.

Section 6.4.2 Sheet 12 of 28 (ESD TECHNICAL
SPECIFICATION).
Terminal blocks for main power supplies, lighting,
devices where applicable. Diagnostics included: yes.

3.4.10 Output Field Interfaces
IS isolators/barriers: n.a Barriers are not applicable
Interposing relays: Yes Safety Interposing relay are considered for all DO.
Refer A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0 For DTS outputs relay (Make P+F, KDD0-RSH-
Section 6.12.1 Sheet 16 of 28 (ESD TECHNICAL 1.4S.PS2 (SIL3) shall be used, ETS DO signals
SPECIFICATION). (Make P+F KFD2-RSH-1.2E. L3 (SIL3)) relay shall
be used, which has line monitoring.
All output and input signals shall be 24Vdc. For MCC DO, relay will be mounted in IRP panel.
Interposing relays will be used to energize or de- For other DO, relay will be mounted in Marshalling
energize solenoid valves which are 115 VAC. panel
Line monitoring is applicable for all DO up to relay

Line monitoring: Yes coil only.
Refer TJJV-YIL-ESDHW-RFI002_Wiring-TA- For MCC DO, Line monitoring is applicable up to
LM-TJJV reply for DO line monitoring IRP Panel
For SOV DO, Line monitoring is applicable up to
Field (Line monitoring is done by relay with
additional DI as monitoring signal)
Fuse type with LED indication WSI 6/LD 10-36V

Fusing: Yes DC/AC terminal blocks shall be provided for each
Refer A4-JGS1EP-EPC3-E00-ES-70-620_Rev 0 individual DO signal +ve. -ve connected with knife
Section 6.4.2 Sheet 12 of 28 (ESD TECHNICAL edge terminal.
SPECIFICATION).
All digital output signals are connected through IS
Terminal blocks for main power supplies, lighting, barriers to field.
devices where applicable. Safety certificates and/or safety manuals of the
applied interfaces are included in Appendix II.

3.4.11 Final Elements
Solenoid(s): Yes The final elements are not in the scope of supply and
Safety architecture: 1oo1, 1oo2, 2oo2, 2oo3, 3oo3 & not included in the safety assessment.
4oo4
Valve(s): n.a Partial Stroke test is not applicable.

Safety architecture: n.a
Is Partial Stroke testing applied: n.a
Contactors: n.a
Alarms indicators: n.a


3.4.12 Overrides and Inhibits
Input overrides: Yes Input Override or MOS is applicable for ESD input
Refer A4-JGS1EP-EPC3-E00-ES-70-601-Rev 0 trip signals.
(Safety Requirement Specification or SRS) sheet 16 MOS are divided in group as per process segregation
of 23. (Interlock wise).
Individual MOS can be enabled only after applying
1) Activate individual MOS from DCS HMI. password by operator and by administrator.
Individual MOS can be enabled only after applying (Passwords are different for operator and
password by operator and by administrator. administrator)
(Passwords are different for operator and Only one input can be Overridden at a time among a
administrator) group.
Only one MOS is allowed inside the same MOS MOS for individual Inputs can be applied or removed
group. from Graphics in the HIS.
MOS for any input can be disabled by any of the
following actions
1. Disabling MOS Faceplate (Soft) from the
HMI.
2. Removal of Passwords (Soft) from the HMI.
Input inhibits: n.a Input inhibits is not applicable
Output overrides: n.a Output Override is not applicable
Start-up override: n.a Start-up override is not applicable
Override groups: Yes MOS are divided in group as per process segregation
Refer A4-JGS1EP-EPC3-E00-ES-70-601-Rev 0 (Interlock wise). Only one MOS can be activated in
(Safety Requirement Specification or SRS) sheet 16 a group.
of 23
Only one MOS is allowed inside the same MOS
group at same time.
HW override: n.a
Override from BPCS: n.a
Override enable: n.a Whenever an override is placed the safety function in

question no longer offers protection. Operational
precautions must be taken in line with the
requirements of the standards. This is not in
Yokogawa’s scope or responsibility.

3.4.13 Environment
Environmental conditions and EMC requirements, as ProSafe-RS Hardware:

per client specification. ℃
Temperature: -20 to 70 and
• Temperature: 19 C ~ 40 C ° ° Relative humidity: 5 to 95%

EMC Compliance meets EN55011, Class A,
• Relative Humidity: 60 ~ 100% Group 1, EN61000-6-2, EN61000-3-2,
• Electrical Area Classification: General Purpose EN61000-3-3- RFI is 10 V/m maximum (80 MHz to
1 GHz)
Phoenix - Power Supply:

QUINT-PS/1 AC/24DC/40 &
QUINT-PS/1 AC/24DC/20
Temperature: -25 to 60 ℃
Relative Humidity: 95%
Phoenix - Diode:
QUINT-DIODE/12-24DC/2X20/1X40 &
TRIO-DIODE/12-24DC/2X10/1X20
Relative Humidity: 95%
P&F - Safety Relay: KFD0-RSH-1.4S.PS2 &

KFD2-RSH-1.2E. L3:
Relative humidity: -
ABB - Earth Leakage Monitor:

CM-IWS.1S:
Temperature: -25...+60 °C
P&F - Switch Amplifier:

HIC2831R1:

3.4.14 Communication Interfaces
BPCS communication: Vnet/IP Communication between ESD and BPCS or DCS

shall be using the Vnet/IP network. All the IO
Status, system status, trip alarm status is
communicating to DCS Describe the solution in
detail.
Comm. between sub-systems: n.a Sub system communication not applicable.
Remote I/O communication: n.a Remote I/O communication not applicable.
Matrix panels: Yes Auxiliary console is used and is connected to both

ESD and DCS system by HW signals.
Mimic panels: n.a Mimic panels not applicable.
3.4.15 Application Programming
Ladder diagram, acc. IEC 61131-3: n.s The ProSafe-RS engineering tools and application
Function blocks, acc. IEC 61131-3: Yes programming (Ladder diagram, Function block and
Structured text, acc. IEC 61131-3: n.s Structured text), are approved by TÜV Rheinland
(ref. ProSafe-RS Safety Manual and Engineering
guide) and are in accordance with IEC 61131.
In this system FB programming is used.
For the obvious non-safety related application logic
function blocks/parts may be used which is not part
of the SIL3 certified function block library. Examples
of obvious non-safety related application logic are:
Totalizers, Alarms, Diagnostics, Matrix panel
outputs etc.

3.4.16 Security
To protect against cyber-attacks, it is required to A hardwired key switch is provided for each
controller to prevent from unauthorised Download
Install a switch to inhibit downloads: Yes to the controller. Security levels for online and
offline downloads are controlled by passwords at
SENG.
Install a virus scanner: Yes McAfee Antivirus is provided
Install a firewall: Yes Firewall is provided

3.5 Safety Architecture

Based on the information in the SRS the following loops have been assumed for calculation.
SIF Input voting Input Interface Output Voting Output Interface Target SIL
SIF#1 1oo1 - 1oo1 Safety Relay SIL2
SIF#13 1oo1 Barrier 3oo3 Safety Relay SIL1
SIF#1
Calculated in SIF
Logic Solver Safety Relay

TX
ProSafe-RS
Pressure
Transmitters Safety Valve
1oo1 1oo1
Figure 6: SIF#1
1oo1 voting of Pressure, Level or Temperature transmitters, LS, 1oo1 voting of ESD Trip to SOV

SIF#2
SIF#2A
Calculated in SIF
SCS0307 SCS0307
Safety Relay
Logic Solver
TX
ProSafe-RS
Safety Relay
Pressure
1oo1
1oo2
Figure 7: SIF#2A
SIF#2B
Calculated in SIF
SCS0308 SCS0307
Safety Relay
Logic Solver
TX
ProSafe-RS
Safety Relay
Pressure
Transmitters
Safety Valve
1oo1
1oo2
Figure 8: SIF#2B

SIF#3
Calculated in SIF
Safety Relay
Logic Solver
TX
ProSafe-RS
Safety Relay
Pressure
Transmitters
1oo1
Safety Valve
2oo2
Figure 9: SIF#3
SIF#4
Calculated in SIF
Safety Relay
Logic Solver
Safety Relay
TX ProSafe-Rs
Pressure
Transmitters Safety Relay
1oo1
Safety Valve
2oo3
Figure 10: SIF#4

SIF#5
Calculated in SIF
Safety Relay
Safety Relay
Logic Solver
TTX
TX ProSafe-RS
Safety Relay
1
Safety Relay
Pressure 1
Transmitter
1oo1 Safety Valve
4oo4
Figure 11: SIF#5
SIF#6
Calculated in SIF
TX 1 Safety Relay
o Logic Solver
o ProSafe-RS
2 Safety Relay
TX
Pressure
1oo2
2oo2
Figure 12: SIF#6

SIF#7
Calculated in SIF
Safety Relay
TX 1
o Logic Solver Safety Relay
o ProSafe-RS
TX
2
Safety Relay
Pressure
1oo2
3oo3
Figure 13: SIF#7
SIF#8
Calculated in SIF
TX
TX
TX
1
o Logic Solver
TX o Safety Relay
ProSafe-RS
6
TX
TX
Pressure
1oo6 1oo1
Figure 14: SIF#8

SIF#9
Calculated in SIF
TX 2
o ProSafe-RS
TX
2
Pressure
2oo2
1oo1
Figure 15: SIF#9
2oo2 voting of Digital input, LS, 1oo1 voting of ESD Trip to SOV
SIF#10
Calculated in SIF
TX
2
TX
o ProSafe-RS
3
TX
Pressure
2oo3
1oo1
Figure 16: SIF#10

SIF#11
Calculated in SIF
TX
Safety Relay
2
o Logic Solver
TX
o ProSafe-RS
3 Safety Relay
TX
Pressure
2oo3
1oo2
Figure 17: SIF#11
SIF#12
Calculated in SIF
TX
TX Safety Relay
2
o Logic Solver
o ProSafe-RS
TX 4 Safety Relay
TX
Safety Valve
Pressure
Transmitters 1oo2
2oo4
Figure 18: SIF#12

SIF#13
Calculated in SIF
Safety Relay
Logic Solver Safety Relay

X
DI Barrier ProSafe-RS
Safety Relay
1
Pressure Safety Valve

Transmitter
3oo3
1oo1
Figure 19: SIF#13
SIF#14
Calculated in SIF
DI Barrier 1
o Logic Solver
o Safety Relay
ProSafe-RS
DI Barrier
2
Pressure
1oo2
1oo1
Figure 20: SIF#14

SIF#15
Calculated in SIF
DI Barrier 1 Safety Relay

o Logic Solver
o ProSafe-RS
2 Safety Relay
DI Barrier
Pressure
1oo2
1oo2
Figure 21: SIF#15
SIF#16
Calculated in SIF
TX
1
TX
o Logic Solver
o ProSafe-RS Safety Relay
3
TX
Pressure
Transmitters
1oo3 Safety Valve
1oo1
Figure 22: SIF#11
Note: This SIF loop is considered for Energize to safe loop.

4 Safety Assessment Notes for the ESD system

4.1 Introduction
In fact, one of the few safety related specifications is “Offered Shutdown PLC to be SIL 3 compliant”.
Refer A4-JGS1EP-EPC3-E00-ES-70-601-RA sheet 10 of 23
The ProSafe-RS meets that specification (see 1.4).
The safety standards IEC 61508 and IEC 61511 require a consideration of the complete safety loop
(SIF), from sensor(s) up to final element(s); the so-called pipe-to-pipe approach.
Within the Yokogawa Functional Safety Management an assessment of all components of the SIF as
far as possible is standard procedure. Yokogawa is applying IEC61508-Ed2. route 1H to verify
architecture unless noted otherwise. The observations of this assessment can be found in section 4.2 of
this Safety Validation Plan.
The Systematic Capability of the applied field interfaces and instruments (if applicable) is verified in
section 4.3
Referring to section 2.5, reliability calculations have been carried out by means of Yokogawa’s
calculation tool to verify both the safety integrity level and the mean time between failures. The results
of the calculations can be found in section 4.3.
Note that the failure rates of the components and modules of the system are fundamental parameters to
base the assessments on. Nowadays many safety certificates and reports appear which are still based on
the previous edition of the IEC 61508 standard. Yokogawa will use the manufacturer’s data as much as
possible. However, when clear non-conformities are found, Yokogawa will try to bring the data more
in-line with IEC 61508 Ed2 requirements.
.

4.2 Safety Architecture
Depending on the type (A or B), the Safe Failure Fraction (SFF) and the target SIL or depending on
prior-use and the target SIL the safety standards require applying more than one element in the SIF
subsystem. Reference is made to IEC 61508-2 tables 2 and 3 and section 7.4.4.3 and IEC 61511-1 table
6.
The following observations have been made:
4.2.1 Sensors
Sensors are not included in this safety assessment. It is client responsibility to verify the architecture
of the sensor subsystem.

Type Model SFF Suitable SIL

Architecture HFT Type
(%)
DI Barrier P+F, HIC2831R1 1oo1 0 A 80.25% Up to SIL 2
4.2.3 Logic Solver including Input and Output channels

The safety architecture and the SFF of the logic solver are in compliance with the safety standard’s
requirements for SIL 1, 2 and 3 according to table 3 of IEC 61508-2.
Type Model Architectu SFF Suitable SIL

HFT Type
re (%)
Relay P+F, KFD0-RSH-1.4S.PS2 1oo1 0 A 98.7 % Up to SIL 3
Relay P+F, KFD2-RSH-1.2E. L3 1oo1 0 A 99.8 % Up to SIL 3

Final elements are not included in this safety assessment. It is client responsibility to verify the
architecture of the final element subsystem.
4.3 Systematic Capability

The systematic capability of the applied field interfaces and (if applicable) instruments is checked based
on the information given by the suppliers in their Safety Manual(s). When no information from the
supplier is available, no verification is possible. In that case it is the end-user responsibility to verify if
the applied instrument is fit for use in the defined SIFs with their target SIL.
4.3.1 Sensors
Sensors are not included in this safety assessment. It is client responsibility to verify the Systematic
Capability of the sensor subsystem.
Type Model Claimed Remarks

Systematic Capability
DI Barrier P+F, HIC2831R1 SC3 -
See the appendix for the appropriate safety manual.
4.3.3 Logic Solver including Input and Output channels

The Systematic Capability of the logic solver is SC3, see section 1.3.4.

Claimed
Type Model Remarks
Systematic Capability
Relay P+F, KFD0-RSH-1.4S.PS2 SC3 -
Relay P+F, KFD2-RSH-1.2E. L3 SC3 -

See the appendix for the appropriate safety manual.

Final elements are not included in this safety assessment. It is client responsibility to verify the
Systematic Capability of the final element subsystem.
4.4 Reliability Calculations
4.4.1 Scope
Based on the assumptions and restrictions as indicated in this SVP, calculations have been executed for
the following Safety Instrumented Functions and systems:
The calculation is based on failure data provided in the device certificates and/or safety manuals.
Yokogawa cannot be held responsible for correctness of it. Device certificates and safety manuals can
be found in Appendix II.
The following logic solver (SCS0307 & SCS0308) for availability calculations was done comprising of
Model Name Model Type No of Modules No of Modules
(SCS0307) (SCS0308)
Safety Controller Unit S2SC70D-F 1 1
Safety Node Unit SNB10D 7 1
Dual Analog Input Module SAI143-H 63/PRP 16 8
Dual Digital Input Module SDV144-S 63/PRP 34 6
Dual Digital Output Module SDV541-S E53 14 6
DI Barrier HIC2831R1 118 26
DO Relay KFD0-RSH-1.4S.PS2 67 26
DO Relay KFD2-RSH-1.2E. L3 - 2
The calculation is based on low demand mode of operation of the (assumed) SIFs.
The calculation is based on failure data provided in the device certificates and/or safety manuals.
Yokogawa cannot be held responsible for correctness of it. Device certificates and safety manuals can
be found in Appendix II

4.4.2 Results
The reliability calculations have been executed with the help of the RSV.
The results can be found in the calculation report (Appendix 1

A summary of the results can be found in the table below:
SIF Required SIL HFT SC PFD Scope meets the requirements

Suitable for Claimed by Compatible
SIL supplier with SIL
SIF#1 SIL2 3 3 3 Yes
Availability of logic solver – ESD (including field interfaces) – Refer Appendix II for Availability
Calculations.
Availability of logic solver - ESD (without field interfaces) – Refer Appendix II for Availability Calculations.
SCS Number Availability of Logic Availability with

Solver alone % Interface %
SCS0307 99.99989 99.979
SCS0308 99.99996 99.987
It is client obligation as per IEC 61508/61511 to perform the complete PFDavg calculations
including sensors and final elements.

5 Miscellaneous
Proof Testing
For ESD systems a periodical proof tests of the entire (pipe-to-pipe) SIF, with the frequency as indicated
in the calculation report, have to be executed to maintain the calculated SIL. Procedures for proof testing
of Yokogawa’s part of the SIF can be found in the Instructions for Operation and Maintenance. It is
end-user’s responsibility to execute the proof tests and to keep records thereof.
System alarms
System alarms like line fault message, module failures, etc. have to be followed up by operators and/or
maintenance engineers. Procedures for this must be developed by the end-user, some guidance for the
Yokogawa equipment can be found in the Instructions for Operation and Maintenance.
Configurable system parts

For all configurable system parts, such as transmitters (HART), protection against unauthorised
modification should be used at all times.
Lifetime restrictions
An overall lifetime has been specified in section 0. For certain, mostly mechanical, devices a shorter
lifetime might apply. It is end-user’s responsibility to identify and replace these devices at the end of
their specified lifetime to ensure the validity of their associated failure rates. The Yokogawa Power
supply modules in the rack have an expected lifetime of 8 years.
Overrides
The human factor will not be included in the Yokogawa reliability calculations. As a consequence,
unsafe operating of overrides as far as they may be caused by mistake and/or wrong procedures are not
part of the safety assessment.
6 Modifications
This section is not applicable yet.
End of document

Appendix II
Reliability Calculation results
Number of pages that follow: 52

ProSafe-RS Reliability Calculation
tool info : revision 12
Project: JG Summit Stage 1 Expansion Project
(SCS0307)
Rev: 1.1
Date: 10/01/2020
Author: Ramkumar Rajendran
1. Availability
System configuration
Single Duplex
Number of
Model name Model type
Number of Duplex sets
modules (=1/2 # of
modules)
Digital Input Module SDV144 17
Digital Output Module (8ch, 24VDC) SDV531-S/L
Digital Output Module (8ch, 48VDC) SDV53A
Digital Output Module (16ch, 24VDC) SDV541 7
Digital Output Module (4ch, 24VDC) SDV521
Digital Output Module (4ch, 100VAC) SDV526
Analog Input Module (4～20mA) SAI143-S
Analog Input Module (4～20mA, with HART) SAI143-H 8
Analog Input Module (1-5V/1-10V) SAV144
Analog Input Module (mV/TC) SAT145
Analog Input Module (RTD) SAR145
Analog Output Module (4 ～20mA, with HART) SAI533
Analog Digital I/O Module (Analog Input 2-wire) S2MMM843 AI 2Wire
Analog Digital I/O Module (Analog Output) S2MMM843 AO
S2MMM843 DI
Analog Digital I/O Module (Digital Input) S2MDV843 DI
S2MMM843 DO
Analog Digital I/O Module (Digital Output) S2MDV843 DO
Fire and Gas Communication Module S2LP131
Safety Control Unit (Single CPU for V net) SSC10S
Safety Control Unit (Dual redundant CPU for V net) SSC10D
Safety Control Unit (Single CPU for Vnet/IP) SSC50S
Safety Control Unit (Dual redundant CPU for Vnet/IP) SSC50D
Safety Control Unit (Single CPU for Vnet/IP) SSC60S / S2SC70S
Safety Control Unit (Dual redundant CPU for Vnet/IP) SSC60D / S2SC70D 1
Safety Node Unit SNB10D / S2NN30D 8
Unit for Optical Bus Repeater Module SNT10D
Optical ESB Bus Repeater Master Module (! Enter 1/2 #of Mdl) *1 SNT401/411
*1 Failure rates of SNT501/511 are automatically calculated.
Parameters
Proof test interval (T) : 1 years 8760 hours
Mean Time To Restoration (MTTR) : 8 hours
Results
Availability: 99.99989 %
MTBFspurious: 804.52 years

document info General Reliability Configurator™ for SIS
file: System Availability SCS0307
DTS: De-energize To Safe state
YOKOGAWA
tab: System_Availability Safety Assurance and Consultancy
page 2 of 2
tool info : revision 18.2

custodian: SA
© 2018 Yokogawa Europe B.V.
project no.: E190452Q00 system: ESD assumptions:

project name: JG Summit Stage 1 Expansion Project sub-system: Not Applicable Life Time considered as 10 Years
(SCS0307) scope: Overall System Availability
client name: JG Summit Petro Chemical Group revision no.: 1.1
client P.O. no.: 7500077257 executed by: Ramkumar Rajendran
end user name: JG Summit Petro Chemical Group date: 10/01/2020
legend calculation scope inputs

MTBF = mean time between sensor(s) result from ext. calc. FTR MTBF availability
failure MTBF (year) targets 1/year 10.00 year 99.9900 %
MTTR = mean time to restoration
SE interface(s) 10.00
FTR = false trip rate
I/O = input / output ProSafe-RS availability
SE = sensor element LS incl. I/O module(s) 99.99989 % set MTTR 8 hour
LS = logic solver
FE = final element
FE interface(s) results FTR MTBF availability
0.23 1/year 4.26 year 99.979 %
Normally sensors and final final element(s)
elements are not included in 2.680E+01 E-6/hr
availability calculations
unless specified. targets met? n.a no no
total number of circuits for SIS Availability

Type failure rates per circuit (E-6/hr)
manufacturer model calculation, based on below voting principles
(A/B)
λS λDd λDu 1oo1 1oo2 1oo3 2oo2 2oo3 2oo4
Sensor Interface Modules .
P+F DI Isolation Barrier HIC2831R1 A 1.06E-01 3.30E-03 2.28E-02 118
Final Element Interface Modules .
P+F Safety Relay KFD0-RSH-1.4S.PS2 A 3.50E-02 0.00E+00 1.83E-03 67
ProSafe-RS Reliability Calculation
tool info : revision 12
(SCS0308)
Rev: 1.1
Date: 10/01/2020
1. Availability
System configuration
Single Duplex
Number of
Model name Model type
Number of Duplex sets
modules (=1/2 # of
modules)
Digital Input Module SDV144 3
Digital Output Module (8ch, 24VDC) SDV531-S/L
Digital Output Module (8ch, 48VDC) SDV53A
Digital Output Module (16ch, 24VDC) SDV541 3
Digital Output Module (4ch, 24VDC) SDV521
Digital Output Module (4ch, 100VAC) SDV526
Analog Input Module (4～20mA) SAI143-S
Analog Input Module (4～20mA, with HART) SAI143-H 4
Analog Input Module (1-5V/1-10V) SAV144
Analog Input Module (mV/TC) SAT145
Analog Input Module (RTD) SAR145
Analog Output Module (4 ～20mA, with HART) SAI533
Analog Digital I/O Module (Analog Output) S2MMM843 AO
S2MMM843 DI
Analog Digital I/O Module (Digital Input) S2MDV843 DI
S2MMM843 DO
Analog Digital I/O Module (Digital Output) S2MDV843 DO
Fire and Gas Communication Module S2LP131
Safety Control Unit (Single CPU for V net) SSC10S
Safety Control Unit (Dual redundant CPU for V net) SSC10D
Safety Control Unit (Single CPU for Vnet/IP) SSC60S / S2SC70S
Safety Control Unit (Dual redundant CPU for Vnet/IP) SSC60D / S2SC70D 1
Safety Node Unit SNB10D / S2NN30D 2
Unit for Optical Bus Repeater Module SNT10D
Optical ESB Bus Repeater Master Module (! Enter 1/2 #of Mdl) *1 SNT401/411
*1 Failure rates of SNT501/511 are automatically calculated.
Parameters
Results
Availability: 99.99996 %
MTBFspurious: 2534.95 years

file: System Availability SCS0308
YOKOGAWA
tab: System_Availability Safety Assurance and Consultancy
page 2 of 2

custodian: SA

project name: JG Summit Stage 1 Expansion Project sub-system: Not Applicable Life Time considered as 10 Years
(SCS0308) scope: Overall System Availability
legend calculation scope inputs

MTBF = mean time between sensor(s) result from ext. calc. FTR MTBF availability
failure MTBF (year) targets 1/year 10.00 year 99.9900 %
MTTR = mean time to restoration
SE interface(s) 10.00
FTR = false trip rate
ProSafe-RS availability
I/O = input / output
SE = sensor element LS incl. I/O module(s) 99.99996 % set MTTR 8 hour
LS = logic solver
FE = final element
FE interface(s) results FTR MTBF availability
0.14 1/year 7.22 year 99.987 %
Normally sensors and final final element(s)
elements are not included 1.581E+01 E-6/hr
in availability calculations
unless specified. targets met? n.a no no
total number of circuits for SIS Availability

Type failure rates per circuit (E-6/hr)
manufacturer model calculation, based on below voting principles
(A/B)
λS λDd λDu 1oo1 1oo2 1oo3 2oo2 2oo3 2oo4
P+F DI Isolation Barrier HIC2831R1 A 1.06E-01 3.30E-03 2.28E-02 26
P+F Safety Relay KFD0-RSH-1.4S.PS2 A 3.50E-02 0.00E+00 1.83E-03 26
P+F Safety Relay KFD2-RSH-1.2E. L3 A 3.00E-01 0.00E+00 3.47E-03 2
ProSafe-RS Reliability Calculation tool info : revision 12

SIF#1 1oo1 NIS AI - LS - 1oo1 NIS DO
Rev: 1.1
Date: 10/01/2019
Parameters
2. PFDAVG Calculation for a Specified Safety Function
Input Output
Redundancy Safety Redundancy
No of
Module type No of channels Communication Module type
same module channels same module
SDV144 1oo1 No SDV531-S/L 1oo1

SAI143-S/H 1 1oo1 SDV53A 1oo1
SAV144 1oo1 SDV541 1 1oo1
SAT145 1oo1 SDV521/526 1oo1
SAR145 1oo1 SAI533 1oo1
S2MMM843 AI 2-wire 1oo1 S2MMM843 AO 1oo1
S2MMM843 DO
S2MMM843 AI 4-wire 1oo1 S2MDV843 DO 1oo1
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.754E-06
file: SIF#1
YOKOGAWA
tab: PipeToPipe_PFD Safety Assurance and Consultancy
page 2 of 2
tool info : r
cu
© 2018 Yokogawa

project name: JG Summit Stage 1 Expansion Project sub-system: Not Applicable
SIF / tag SIF#1 1oo1 NIS AI - LS - 1oo1 NIS DO
legend calculation scope inputs SE system LS system FE system

PFDAVG = average probability of sensor(s) result from ext. calc. TSE 1.00 year TLS 1.00 year TFE 1.00 year
failure on demand PFDAVG
β = common cause factor SE interface(s) βSE 0.020 βLS 0.005 βFE 0.050
T = proof test interval
ProSafe-RS PFDAVG
TL = life time
PC = proof test coverage LS incl. I/O module(s) 6.754E-06 PCSE 0.980 PCLS 0.990 PCFE 0.960
IM = interface module TL (year)
SFF = safe failure fraction
FE interface(s) 10 voting 1oo1 voting n.a. voting 1oo1
AI/DI = analogue / digital input
AO/DO = analogue / digital output
SV = solenoid valve final element(s) SIL RRF budget LS+I/O+IM
RRF = risk reduction factor targets 2 15 %
results fit for use in SIL RRF PFDAVG

AO/DO IM SV
FE
3 55630 1.798E-05
SE IM AI/DI AO/DO IM SV
implied λDu
targets met? yes n.a. 4.104E-03 E-6/hr
LS
PFD analysis element system %
FE sensor(s) SE
AO/DO IM SV SE interface(s)
LS inl. I/O module(s) 6.754E-06 6.754E-06 0.07 LS
1oo1 voted 1oo2 voted 1oo2 voted 1oo1 voted 1oo2 voted FE interface(s) 8.015E-06
ProSafe-RS
SE element SE system SV system FE element FE system
final element(s) 1.122E-05 0.11 FE
diagnostics SIF
Type failure rates per circuit (E-6/hr) hardware safety integrity
manufacturer model enabled element
(A/B)
λS λDd λDu results constraints (yes/no) voting
P+F Safety Relay KFD0-RSH-1.4S.PS2 A 3.50E-02 0.00E+00 1.83E-03 95.03 SFF yes 1oo1
SIL LIST UNDER SIF TYPICAL LOOP
SIF Type SIF ID Target SIL Achieved SIL

PE3- SIF- 206 2
PE3- SIF- 432 2
PE3- SIF- 501 2
PE3- SIF- 502 2
PE3- SIF- 803 1
PE3- SIF- 2001 1
PE3- SIF- 2002 2
PE3- SIF- 2021-3 1
PE3- SIF- 5004-1 2
PE3- SIF- 5004-2 1
PE3- SIF- 5041-3 1
PE3- SIF- 800-1 1
PE3- SIF- 800-2 2
PE3- SIF- 800-3 1
SIF#1 SIL#3
PE3- SIF- 800-4 1
PE3- SIF- 800-5 1
PE3- SIF- 800-6 1
PE3- SIF- 800-7 1
PE3- SIF- 804-1 1
PE3- SIF- 804-2 2
PE3- SIF- 804-3 1
PE3- SIF- 804-4 1
PE3- SIF- 804-5 1
PE3- SIF- 804-6 1
PE3- SIF- 804-7 1
PE3- SIF- 520-1 2
PE3- SIF- 520-2 2
PE3- SIF- 5011-1 1

SIF#2: 1oo1 AI – LS - Safety Relay -1oo2 DO
Rev: 1.1
Date: 10/01/2019
Parameters
Input Output
No of
Module type No of channels Communication Module type different
same module channels
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.731E-06
file: SIF#2
YOKOGAWA
page 2 of 3

custodian: SA

SIF / tag SIF#2: 1oo1 AI – LS - SR -1oo2 DO

ProSafe-RS PFDAVG
TL = life time
SFF = safe failure fraction FE interface(s) 10 voting 1oo1 voting n.a. voting 1oo1

AO/DO IM SV
FE
3 137137 7.292E-06
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 503 2
SIF#2 SIL#3
PE3- SIF- 5005-2 2

SIF#3: 1oo1 AI – LS - Safety Relay -2oo2 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.778E-06
file: SIF#3
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#3:1oo1AI–LS-Safety Relay-2oo2 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 34221 2.922E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 2021-1 2
PE3- SIF- 2021-2 1
PE3- SIF- 4011-1 2
PE3- SIF- 4011-2 1
PE3- SIF- 4031-1 1
PE3- SIF- 4031-2 2
SIF#3 SIL#3
PE3- SIF- 5005-3 2
PE3- SIF- 5041-1 2
PE3- SIF- 5081-1 2
PE3- SIF- 5081-2 2
PE3- SIF- 5112-1 2
PE3- SIF- 5112-2 2

SIF#4:1oo1AI -LS-Safety Relay-2oo3 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.731E-06
file: SIF#4
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#4:1oo1AI -LS-Safety Relay-2oo3 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 104775 9.544E-06
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 4221-1 1
SIF#4 SIL#3
PE3- SIF- 4221-2 2

SIF#5 1oo1 AI–LS-Safety Relay-4oo4 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.827E-06
file: SIF#5
YOKOGAWA
page 2 of 2

custodian: SA
project no.: E190452Q00 system: ESD Note:

project name: JG Summit Stage 1 Expansion Project sub-system: Not Applicable 4 times of the failure rate (4x1oo1) considered
SIF / tag SIF#5 1oo1 AI–LS-Safety Relay-4oo4 DO for calculation and the element voting considered
client name: JG Summit Petro Chemical Group revision no.: 1.1 as 1oo1.

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 19338 5.171E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)
P+F Safety Relay(4 Times of 1oo1 (4x1oo1)) KFD0-RSH-1.4S.PS2 A 1.40E-01 0.00E+00 7.32E-03 95.03 SFF yes 1oo1

SIF#5 PE3- SIF-007 2 SIL#3

SIF#6 1oo2AI–LS-Safety Relay-2oo2DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
Module type No of channels different Communication Module type different
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.846E-07
file: SIF#6
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#6 1oo2AI–LS-Safety Relay-2oo2DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 43052 2.323E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

SIF#6 PE3- SIF- 5041-2 2 SIL#3

SIF#7 1oo2AI–LS-Safety Relay-3oo3DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 8.087E-07
file: SIF#7
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#7 1oo2AI–LS-Safety Relay-3oo3DO for calculation and the element voting considered

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 29008 3.447E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)
P+F Safety Relay(3 times of 1oo1(3x1oo1)) KFD0-RSH-1.4S.PS2 A 1.05E-01 0.00E+00 5.49E-03 95.03 SFF yes 1oo1

SIF#7 PE3- SIF- 004-2 1 SIL#3

SIF#8: 1oo6AI –LS-Safety Relay -1oo1 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
Module type No of channels different Communication Module type
channels same module
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 3.734E-05
file: SIF#8
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#8: 1oo6AI –LS-Safety Relay -1oo1 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 20594 4.856E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

SIF#8 PE3- SIF- 005 2 SIL#3

SIF#9 2oo2 AI - LS -SAFETY RELAY - 1oo1 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 1.287E-05
file: SIF#9
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#9 2oo2 AI - LS -SR- 1oo1 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 21489 4.654E-05
implied λDu
LS
FE sensor(s) 0.000E+00 0.00 SE
AO/DO IM SV SE interface(s) 0.000E+00
ProSafe-RS
diagnostics SIF
(A/B)

SIF#9 PE3-SIF- 7-5011-2 1 SIL#3

SIF#10 2oo3 AI- LS -SR - 1oo1 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.605E-07
file: SIF#10
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#10 2oo3 AI- LS -SR - 1oo1 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 83458 1.198E-05
implied λDu
LS
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 123 2
SIF#10 SIL#3
PE3- SIF- 223 2

SIF#11 2oo3 AI - LS -SR - 1oo2 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.369E-07
file: SIF#11
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#11 2oo3 AI - LS -SR - 1oo2 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 770375 1.298E-06
implied λDu
LS
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 121 3
PE3- SIF- 122 3
PE3- SIF- 141 3
PE3- SIF- 142 3
SIF#11 SIL#3
PE3- SIF- 221 3
PE3- SIF- 222 3
PE3- SIF- 241 3
PE3- SIF- 242 3

SIF#12 2oo4 AI - LS -SR - 1oo2 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 2.508E-05
file: SIF#12
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#12 2oo4 AI - LS -SR - 1oo2 DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 39001 2.564E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 111 3
PE3- SIF- 112 3
SIF#12 SIL#3
PE3- SIF- 211 3
PE3- SIF- 212 3

SIF#13 1oo1DI - IS - LS - SR - 3oo3 DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 6.803E-06
file: SIF#13
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#13 1oo1DI - IS - LS - SR - 3oo3 DO for calculation and the element voting considered

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
2 6238 1.603E-04
implied λDu
LS
FE sensor(s) 1.198E-04 0.12 SE
AO/DO IM SV SE interface(s) 9.986E-05
ProSafe-RS
diagnostics SIF
(A/B)
P+F DI Isolation Barrier HIC2831R1 A 1.06E-01 3.30E-03 2.28E-02 82.74 SFF yes 1oo1
P+F Safety Relay(3 Times of 1oo1 (3x1oo1)) KFD0-RSH-1.4S.PS2 A 1.05E-01 0.00E+00 5.49E-03 95.03 SFF yes 1oo1

PE3- SIF- 003-1 1
SIF#13 PE3- SIF- 003-2 1 SIL#2
PE3- SIF- 004-1 1

SIF#14 1oo2DI - IS - LS - SR -1oo1DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.605E-07
file: SIF#14
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#14 1oo2DI - IS - LS - SR -1oo1DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 27146 3.684E-05
implied λDu
LS
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 009 2
PE3- SIF- 131-1 2
PE3- SIF- 131-2 2
SIF#14 SIL#3
PE3- SIF- 231-1 2
PE3- SIF- 231-2 2
PE3- SIF- 5005-1 2

SIF#15 1oo2DI - IS - LS - SR - 1oo2DO
Rev: 1.1
Date: 10/01/2020
Parameters
Input Output
No of
channels
modules modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.369E-07
file: SIF#15
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#15 1oo2DI - IS - LS - SR - 1oo2DO

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 269532 3.710E-06
implied λDu
LS
ProSafe-RS
diagnostics SIF
(A/B)

PE3- SIF- 124 2
SIF#15 SIL#3
PE3- SIF- 224 2

SIF#16 1oo3AI–LS- Safety Relay-1oo1DO
Rev: 1.1
Date: '10/01/2020
Parameters
Input Output
No of
modules
SAT145 1oo1 SDV521/526 1oo1
S2MMM843 DO
S2MMM843 DI
S2MDV843 DI 1oo1
Results
PFDAVG : 7.605E-07
file: SIF#16
YOKOGAWA
page 2 of 2

custodian: SA

SIF / tag SIF#16 1oo3AI–LS- Safety Relay-1oo1DO
end user name: JG Summit Petro Chemical Group date: '10/01/2020

ProSafe-RS PFDAVG
TL = life time

AO/DO IM SV
FE
3 45375 2.204E-05
implied λDu
LS
FE sensor(s) SE
ProSafe-RS
diagnostics SIF
(A/B)
P+F Safety Relay KFD2-RSH-1.2E. L3 A 3.00E-01 0.00E+00 3.47E-03 98.86 SFF yes 1oo1

SIF#16 PE3- SIF- 801 1 SIL#3
Appendix II
Safety Certificates and Safety Manuals
Number of pages that follow: 93

Safety Assessment
by Saf ety Assuranc e
Device Front Sheet: Revision 1
Pepperl+Fuchs - Switch Amplifier
Device Type No. HiC283*
Doc. ref. Document name Date Revision Institute
10-05-041-C IEC 61508 Functional Safety

10-2016 V2, R1 Exida
R022 Assessment
Yokogawa’s independent group of Safety Experts has assessed the reliability data in the attached report
and proposes to use these data as follows (values in E-06/hr):
Manufacturer Model Type S DD DU

HiC283*
Pepperl+Fuchs A 1.06E-01 3.30E-03 2.28E-02
Normal Operation
HiC283*
Pepperl+Fuchs A 1.06E-01 3.30E-03 2.68E-02
Inverse Operation
Yokogawa’s approach is to use the reliability data in a conservative way, thus minimizing the chance
of a too optimistic calculation. On request the calculation can always be repeated with less
conservative data.
(*)
Manufacturer claims compliance to Systematic Capability: SC3
(*) Exida Certificate: P+F 100397R1C P0006 C04.2
Considerations
Values are only valid for Route 1H.
Values are taken from the attached Functional Safety Assessment without change.
Values are valid for the following types:

 HiC2831
 HiC2832
 HiC2831R1
 HiC2832R1
 HiC2831R2
 HiC2832R2
 HiC2831R3
 HiC2832R3
Amersfoort, 03 – 07 – 2018 Amersfoort, 03 – 07 – 2018

Rob van der Harst Jeff Beijk
Functional Safety Consultant Functional Safety Senior Expert
FS Eng (TÜV Rheinland, #13190/16, SIS) TÜV Rheinland 135/08
Project:
HiC283*
Customer:
Pepperl + Fuchs GmbH
Mannheim
Germany
Contract Number: Q16/10-014-C
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Management Summary
This report summarizes the results of the functional safety assessment according to IEC 61508
carried out on the following products from Pepperl + Fuchs GmbH:
HiC283*
The functional safety assessment performed by consisted of the following activities:
- assessed the development process used by Pepperl + Fuchs GmbH through an
audit and review of a detailed safety case against the certification scheme which
includes the relevant requirements of IEC 61508. The investigation was executed using
subsets of the IEC 61508 requirements tailored to the work scope of the development
team.
- performed a review of the Failure Modes, Effects, and Diagnostic Analysis
(FMEDA) reports of the devices documenting the hardware architecture and failure
behavior.
The functional safety assessment was performed to the requirements of IEC 61508:2010, SIL 2.
A full IEC 61508 Safety Case was prepared using the Safety Case tool as the primary audit
tool. Hardware process requirements and all associated documentation were reviewed.
Environmental test reports were reviewed. Also the user documentation (safety manual) was
reviewed.
The results of the Functional Safety Assessment can be summarized as:
The audited development process as tailored and implemented by the Pepperl + Fuchs GmbH
HiC283* development project, complies with the relevant safety management requirements of
IEC 61508:2010 SIL2, SC 2 (SIL 2 Capable).
The assessment of the FMEDA, done to the requirements of IEC 61508, has shown that the
HiC283* can be used in a low / high demand safety related system in a manor where the PFDavg
/ PFH is within the allowed range for up to SIL2 (HFT = 0) according to table 3 of IEC 61508-1.
The assessment of the FMEDA also shows that the HiC283* meet the requirements for
architectural constraints of an element such that it can be used to implement a SIL 2 safety
function (with HFT = 0) or a SIL 3 safety function (with HFT = 1).
This means that the HiC283* are capable for use in SIL2 applications in Low / High
DEMAND mode, when properly designed into a Safety Instrumented Function per the
requirements in the Safety Manual and when using the versions specified in the Annex to
the assessment report [R5].
The manufacturer will be entitled to use the Functional Safety Logo.
© P+F 10-05-041-C R022 Assessment Report HiC283x V2 R1.docx

T-023 V4R1 80 N. Main St, Sellersville, PA 18960 Page 2 of 15
Table of Contents
Management Summary .................................................................................................. 2
1 Purpose and Scope .................................................................................................. 4
1.1 Tools and Methods used for the assessment ...............................................................4
2 Project Management................................................................................................. 5
2.1 ............................................................................................................................5
2.2 Roles of the parties involved ........................................................................................5
2.3 Standards and literature used ......................................................................................5
2.4 Reference documents ..................................................................................................5
2.4.1 Documentation provided by Pepperl + Fuchs GmbH .........................................5
2.4.2 Documentation generated by ...................................................................5
2.5 Assessment Approach .................................................................................................6
3 Product Descriptions................................................................................................. 7
3.1 Hardware Version Numbers .........................................................................................8
4 IEC 61508 Functional Safety Assessment Scheme.................................................. 9
4.1 Methodology ................................................................................................................9
4.2 Assessment level .........................................................................................................9
5 Results of the IEC 61508 Functional Safety Assessment ....................................... 10
5.1 Lifecycle Activities and Fault Avoidance Measures .................................................... 10
5.1.1 Functional Safety Management ....................................................................... 10
5.1.2 Safety Requirements Specification and Architecture Design............................ 11
5.1.3 Hardware Design ............................................................................................. 11
5.1.4 Validation......................................................................................................... 11
5.1.5 Verification....................................................................................................... 11
5.1.6 Modifications ................................................................................................... 12
5.1.7 User documentation......................................................................................... 12
5.2 Hardware Assessment ............................................................................................... 12
5.2.1 Failure rates .................................................................................................... 13
6 Terms and Definitions ............................................................................................. 14
7 Status of the Document .......................................................................................... 15
7.1 Liability ....................................................................................................................... 15
7.2 Releases .................................................................................................................... 15
7.3 Future Enhancements ................................................................................................ 15
7.4 Release Signatures .................................................................................................... 15

1 Purpose and Scope
This document shall describe the results of the IEC 61508 functional safety assessment of the
following products from Pepperl + Fuchs GmbH:
HiC283*
by according to accredited certification scheme which includes the requirements of
IEC 61508:2010.
The assessment has been carried out based on the quality procedures and scope definitions of
The results of this provides the safety instrumentation engineer with the required failure data as
per IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic
failures during the development process of the device.
1.1 Tools and Methods used for the assessment

This assessment was carried by using the Safety Case tool. The Safety Case tool contains
the scheme which includes all the relevant requirements of IEC 61508.
For the fulfillment of the objectives, expectations are defined which builds the acceptance level
for the assessment. The expectations are reviewed to verify that each single requirement is
covered. Because of this methodology, comparable assessments in multiple projects with
different assessors are achieved. The arguments for the positive judgment of the assessor are
documented within this tool and summarized within this report.
The assessment was planned by agreed with Pepperl + Fuchs GmbH.
All assessment steps were continuously documented by (see [R1] and [R2]).

2 Project Management
2.1
specializing in automation system safety and availability with over 300 years of cumulative
experience in functional safety. Founded
from assessment organizations and manufacturers, is a global company with offices
around the world. offers training, coaching, project oriented system consulting services,
safety lifecycle engineering tools, detailed product assurance, cyber-security and functional
safety certification, and a collection of on-line safety and reliability resources. maintains a
comprehensive failure rate and failure mode database on process equipment.
2.2 Roles of the parties involved

Pepperl + Fuchs GmbH Manufacturer of the HiC283*
Performed the hardware assessment
Performed the IEC 61508 Functional Safety Assessment.
P+F contracted in February 2011 for the IEC 61508 Functional Safety Assessment of the
first version of the HiC283*. This has since then been extended with several variants as described
in the Annex to the assessment report [R5].
2.3 Standards and literature used

The services delivered by were performed based on the following standards / literature.
[N1] IEC 61508 (Parts 1 - 7): 2010 Functional Safety of Electrical/Electronic/Programmable

Electronic Safety-Related Systems
2.4 Reference documents
2.4.1 Documentation provided by Pepperl + Fuchs GmbH

Please refer to the Annex to the assessment report [R5] where a complete listing of the different
variants and their corresponding documentation is found.
2.4.2 Documentation generated by

[R1] Assessment & Document Review Assessment and review comments HiC283*
comments R019 V0R4 P+F 1005-
041-C
[R2] P+F 1610-014-C R041 Safety IEC 61508 SafetyCaseDB for HiC283*
case.xls
[R3] P+F 10-05-041-C R022 IEC 61508 Functional Safety Assessment, Pepperl
Assessment Report HiC283x V2 + Fuchs GmbH HiC283* (this report)
R1.docx
[R4] P+F 0905-35-R1-C R038 Results of the IEC 61508 Functional Safety
Assessment Report FSM Management Assessment
Certificate V2 R0.docx

[R5] P+F 16-10-014-C R041 Annex to Annex to assessment report containing details
assessment report HiC283* about the variants assessed.
V1Rx.docx (Rx means the latest version of the document)
2.5 Assessment Approach

The certification audit was closely driven by requirements of the scheme which includes
subsets filtered from IEC 61508.
The assessment was planned by and agreed upon by Pepperl + Fuchs GmbH.
The following IEC 61508 objectives were subject to detailed auditing at Pepperl + Fuchs GmbH:
FSM planning, including
Safety Life Cycle definition
Scope of the FSM activities
Documentation
Activities and Responsibilities (Training and competence)
Configuration management
Tools
Safety Requirement Specification
Change and modification management
Hardware architecture design - process, techniques and documentation
Hardware design / probabilistic modeling
Hardware and system related V&V activities including documentation, verification
Fault insertion test strategy
System / hardware validation
Hardware-related operation, installation and maintenance requirements

3 Product Descriptions
The devices are isolated switch amplifiers which provide the power for NAMUR sensors in the
hazardous area and convert the sensors supply current into a line fault transparent (LFT) output
signal. The input of the HiC2831* control two passive transistor outputs while each input of the
HiC2832* controls one passive transistor output with resistive output characteristic.
With DIP switch S1 and S3 the output mode can be inverted. This means that the customer can
decide whether a low or a high input current leads to a low impedance respectively high
impedance output.
Below, the block diagrams for the different versions are shown.
Figure 1: HiC2831
Figure 2: HiC2832
The variants are shown in more detail in the Annex to the assessment report [R5].

3.1 Hardware Version Numbers
Please refer to the Annex to the assessment report [R5] where the different variants are listed in
more detail.

4 IEC 61508 Functional Safety Assessment Scheme
assessed the development process used by Pepperl + Fuchs GmbH for this development
project against the objectives of the certification scheme which includes subsets of IEC
61508 -1 and 2. The results of the assessment are documented in [R1] to [R3].
4.1 Methodology
The full functional safety assessment includes an assessment of all fault avoidance and fault
control measures during hardware development and demonstrates full compliance with IEC
61508 to the end-user. The assessment considers all requirements of IEC 61508. Any
requirements that have been deemed not applicable have been marked as such in the full Safety
Case report, e.g. software development requirements for a product with no software. The
assessment also includes a review of existing manufacturing quality procedures to ensure
compliance to the quality requirements of IEC 61508.
As part of the IEC 61508 functional safety assessment the following aspects have been reviewed:
Development process, including:
Functional Safety Management, including training and competence recording,
FSM planning, and configuration management
Specification process, techniques and documentation
Design process, techniques and documentation, including tools used
Validation activities, including development test procedures, test plans and
reports, production test procedures and documentation
Verification activities and documentation
Modification process and documentation
Installation, operation, and maintenance requirements, including user
documentation
Product design
Hardware architecture and failure behavior, documented in four FMEDAs
The review of the development procedures is described in section 5. The review of the product
design is described in section 5.2.
4.2 Assessment level

The HiC283* has been assessed per IEC 61508 to the following levels:
SIL 2 capability
The development procedures have been assessed as suitable for use in applications with a
maximum Safety Integrity Level of 2 (SIL2) according to IEC 61508.

5 Results of the IEC 61508 Functional Safety Assessment
assessed the development process used by Pepperl + Fuchs GmbH for these products
against the objectives of IEC 61508 parts 1 - 7. The development process has already been
assessed and certified as SIL 3 compliant in a separate assessment [R4]
The first assessment was done in February 2011 and documented in the SafetyCase [R2].
5.1 Lifecycle Activities and Fault Avoidance Measures

Pepperl + Fuchs GmbH have a defined product lifecycle process in place. This is documented in
the Quality Management System Manual and various Quality Procedures. A documented
modification process is also covered in the Quality Manual. No software is part of the design and
therefore any requirements specific from IEC 61508 to software and software development do
not apply.
The assessment investigated the compliance with IEC 61508 of the processes, procedures and
techniques as implemented for product design and development. The investigation was executed
using subsets of the IEC 61508 requirements tailored to the SIL 2 work scope of the development
team. The result of the assessment can be summarized by the following observations:
The audited Pepperl + Fuchs GmbH design and development process complies with the
relevant managerial requirements of IEC 61508 SIL 2.
5.1.1 Functional Safety Management

FSM Planning
Pepperl + Fuchs GmbH have a defined process in place for product design and development.
Required activities are specified along with review and approval requirements. The different
phases together with the corresponding work items and their required input and output is
defined. It also contains references to other planning documents where the verification and
validation activities and methods are defined. The roles and responsibilities are also defined
herein.
Templates and sample documents have been reviewed and found to be sufficient. The
modification process is covered by the V&V plan. This process and the procedures referenced
therein fulfill the requirements of IEC 61508 with respect to functional safety management for a
product with simple complexity and well defined safety functionality.
Version Control
The handling of configurations is described in P+F development process. This includes
responsibilities for the activities, the items to be under version control and the defined tools /
methods for this.
All safety related work products are part of document / version management system.
The HW modules can be identified by a naming / numbering convention as described in the
P+F development process. The project documents are listed / defined in the Documentation
plan together with their version and revision.
Which versions of a work product was part of which test run is documented in the respective
test reports.

Training, Competency recording
The different training courses / seminars of each individual in the project are documented in
addition to the official education in project specific contact lists. Also the applicable project
experiences were, in some cases, used as reasoning behind the competence evaluation for the
members of the projects. The corresponding competence records are included in the FSM /
V&V plan.
The FSM / V&V Plan have been specified, reviewed and approved by the responsible people
for the specified activities of the project. The responsibilities for the documents are tracked in
this plan.
5.1.2 Safety Requirements Specification and Architecture Design

The FSM / V&V plan requires the SRS to be developed before any other design and
development activity as input for the architecture design of the product. For each product one
SRS is existing covering all technical safety requirements with a clear identification of safety
and non-safety related requirements.
The SRS is covered by the Requirements Profile and supported by the Design Specification. The
Requirements Profile contains a background for the project together with a description of the
intended use and targeted application areas. Each requirement has an allocation to the
responsible person and an identity. The identity both identifies the type of requirement and its
safety relevance. The used requirement identity supports requirements traceability both to the
Design Specification and to the V&V Test Specification (validation test specification).
During the design phase, the SRS is reviewed by designers for completeness and
understandability. The target of the review is always to detect inconsistencies and
incompatibilities of the requirements.
5.1.3 Hardware Design

The design process is documented in the P+F Development process. Items from IEC 61508-2,
Table B.2 include observance of guidelines and standards, (ATEX) project management,
documentation (design outputs are documented per quality procedures), structured design,
modularization, use of well-tried components computer-aided design tools. This meets SIL 2.
5.1.4 Validation
All specified safety requirements were tracked and successfully validated. The test specifications
contain the required description of the test, acceptance criteria and the documented result. Other
applicable aspects as the used configuration and version are documented in order to enable a
re-test of the product at a later stage.
Items from IEC 61508-2, Table B.3 include functional testing, project management,
documentation, and black-box testing (for the considered devices this is similar to functional
testing). Field experience and statistical testing via regression testing are not applicable. This
meets SIL 2.
Items from IEC 61508-2, Table B.5 included functional testing and functional testing under
environmental conditions, project management, documentation, failure analysis (analysis on
products that failed), expanded functional testing, black-box testing, and fault insertion testing.
This meets SIL 2.
5.1.5 Verification
The development and verification activities are defined in the FSM / V&V plan. For each design
phase the objectives are stated, required input and output documents and review activities. This
meets SIL 2.

5.1.6 Modifications
A modification procedure is defined in the FSM / V&V plan. This is implemented for product
changes starting with formal validation tests as there is no integration test planned for this Type
A product. The defined modification procedure, containing a procedure for Impact Analysis
including checklists, in combination with the generic development model fulfils the objectives of
IEC 61508.
As part of the scheme a surveillance audit is conducted every 3 years. The modification
documentation listed below is submitted as part of the surveillance audit. will review the
decisions made by the competent person in respect to the modifications made.
List of all anomalies reported
List of all modifications completed
Safety impact analysis which shall indicate with respect to the modification:
The initiating problem (e.g. results of root cause analysis)
The effect on the product / system
The elements/components that are subject to the modification
The extent of any re-testing
List of modified documentation
Regression test plans
This meets SIL 2.
5.1.7 User documentation

Pepperl + Fuchs GmbH create the following user documentation: product catalogs and a Safety
Manual. The Safety Manual was found to contain all of the required information given the
simplicity of the products. The Safety Manual references the FMEDA reports which are available
and contain the required failure rates, failure modes, useful life, and suggested proof test
information.
Items from IEC 61508-2, Table B.4 include operation and maintenance instructions, user
friendliness, maintenance friendliness, project management, documentation and limited
operation possibilities (HiC283* perform well-defined actions)
This meets SIL 2.
5.2 Hardware Assessment

To evaluate the hardware design of the HiC283* Failure Modes, Effects, and Diagnostic
performed by P+F.
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect
and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with
extension to identify online diagnostics techniques and the failure modes relevant to safety
instrumented system design.
From the FMEDA, failure rates are derived for each important failure category. All failure rate
analysis results and useful life limitations are listed in the FMEDAs and related documents. The
FMEDAs list failure rates for the HiC283*. The failure rates listed are valid for the useful life of
the devices.

According to IEC 61508 the architectural constraints of an element must be determined. This can
be done by following the 1H approach according to 7.4.4.2 of IEC 61508 or the 2H approach
according to 7.4.4.3 of IEC 61508.
The 1H approach involves calculating the Safe Failure Fraction for the entire element.
The 2H approach involves assessment of the reliability data for the entire element according to
7.4.4.3.3 of IEC 61508.
Note, as the HiC283* are only one part of a (sub)system, the SFF should be calculated for the
entire final element combination.
These results must be considered in combination with PFDavg / PFH values of other devices of a
Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity
Level (SIL). The architectural constraints requirements of IEC 61508-2, Table 2 also need to be
evaluated for each final element application. It is the end-users responsibility to confirm this for
each particular application and to include all components of the final element in the calculations.
The analysis shows that the design of the HiC283* can meet the hardware requirements
of IEC 61508, SIL 2 for the HiC283* depending on the complete final element design. The
Hardware Fault Tolerance and PFDavg / PFH requirements of IEC 61508 must be verified for
each specific design.
5.2.1 Failure rates

The table below lists the failure rates in FIT (failures / 109 hours) for the assessed products:
Safe DU DD
HiC283* Inverting mode 106 26.8 3.3

HiC283* Non-Inverting mode 106 22.8 3.3

6 Terms and Definitions
Architectural Constraint The SIL limit imposed by the combination of SFF and HFT for Route
1H or by the HFT and Diagnostic Coverage (DC applies to Type B only)
for Route 2H
criteria A conservative approach to arriving at failure rates suitable for use in
hardware evaluations utilizing the 2H Route in IEC 61508-2.
Fault tolerance Ability of a functional unit to continue to perform a required function in
the presence of faults or errors (IEC 61508-4, 3.6.3)
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Mode Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode, where the demand interval for operation made on a safety-
related system is greater than twice the proof test interval.
PFDavg Average Probability of Failure on Demand
Random Capability The SIL limit imposed by the PFDavg for each element.
SFF Safe Failure Fraction summarizes the fraction of failures, which lead to
a safe state and the fraction of failures which will be detected by
diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System Implementation of one or more Safety
Instrumented Functions. A SIS is composed of any combination of
sensor(s), logic solver(s), and final element(s).
Systematic Capability The SIL limit imposed by the capability of the products manufacturer.
Type A element - element (using discrete components); for details see
7.4.4.1.2 of IEC 61508-2
Type B element
controllers or programmable logic); for details see 7.4.4.1.3 of IEC
61508-2

7 Status of the Document
7.1 Liability
prepares reports based on methods advocated in International standards. accepts
no liability whatsoever for the use of this report or for the correctness of the standards on which
the general calculation methods are based.
7.2 Releases
Contract
Report Number Revision Notes
Number
Q16/10-014-C 10-05-041-C R022 V2, R1 Updated after final review.
Upgraded to 2nd edition of 61508. Variant
Q16/10-014-C 10-05-041-C R022 V2, R0 details moved to Annex to assessment
report.
Safety manual version updated August 19th,
Q10/05-041-C 1005-041-C R022 V1, R1
2011
Safety manual version and FMEDA
Q10/05-041-C 1005-041-C R022 V1, R0
calculations added, August 1st, 2011
Updated after review by certifying assessor,
Q10/05-041-C 1005-041-C R022 V0, R3
July 15th, 2011
Updated after customer review, July 15th,
Q10/05-041-C 1005-041-C R022 V0, R2
2011
Q10/05-041-C 1005-041-C R022 V0, R1 Initial version June 27th, 2011
Authors: Peter Söderblom
Reviewer: Ted Stewart, exida, 2016/10/19
Release status: Released
7.3 Future Enhancements

At request of client.
7.4 Release Signatures
Peter Söderblom, Senior Safety Engineer
Ted E. Stewart, CFSP, Program Development & Compliance Manager

Project:
HiC283*
Customer:
Pepperl + Fuchs GmbH
Mannheim
Germany
Contract Number: Q16/10-014-C
The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights reserved.
Table of Contents
1 Purpose and Scope .................................................................................................. 3
2 Reference documents............................................................................................... 4
2.1 Documentation provided by Pepperl + Fuchs GmbH ....................................................4
3 Product Descriptions................................................................................................. 5
3.1.1 Description of the variant HiC2831R1 and HiC2832R1 ......................................6
4 Hardware Version Numbers ..................................................................................... 7
5 Status of the Document ............................................................................................ 8
5.1 Liability .........................................................................................................................8
5.2 Releases ......................................................................................................................8
5.3 Future Enhancements ..................................................................................................8
5.4 Release Signatures ......................................................................................................8
© P+F 16-10-014-C R041 Annex to Assessment Report HiC283x V1 R1.docx

1 Purpose and Scope
This document contains the description of the different variants of the HiC2831 and HiC2832
products. The document versions provided for the assessments are also contained herein.
In case a new version Rx would be added, e.g. changing only a resistor value, this annex will be
updated but not the report and certificate.

2 Reference documents
2.1 Documentation provided by Pepperl + Fuchs GmbH

The assessment delivered by was performed based on the audit of the following
documents as provided by Pepperl + Fuchs GmbH.
D1 V&V plan FS-0045EA22A

FS-0045EA22C2
D2 P+F P02 Product Life Cycle P02-03 Development
D3 Requirements Profile: HiC283* DDE-1809C2
D4 Design Specification: HiC283* DDE-1809C3
D5 FMEDA:
HiC283* FS-0045EA-26A
FS-0045EA-26A2
HiC283*R1 FS-0045EA-26A3
Explanations FS-0045EA-27C
D6 Circuit Diagram FS-0045EA-26
D7 Fault Insertion Test specification FS0045EA-26_4
D8 Safety Manual TDOCT-2386CENG
D9 Data sheets:
HiC2831 FS-0045EA-33A
HiC2832 FS-0045EA-33A2
HiC2831R1 FS-0052EA-33
HiC2832R1 FS-0052EA-33_2
HiC2831R2 FS-0057EA-33
HiC2832R2 FS-0057EA-33_2
HiC2831R3 FS-0045EA-33C
HiC2832R3 FS-0045EA-33C_2
D10 Development Process P02-03 Development
D11 V&V Test Specification FS-0045EA-29C
D12 V&V Test Results:
HiC283* FS-0045EA-30A
HiC2831R1 / HiC2832R1 FS-0052EA-30
HiC2831R2 / HiC2832R2 FS-0057EA-30
HiC2831R3 / HiC2832R3 FS-0045EA-30B
D13 Impact analysis:
HiC2831R1 / HiC2832R1 FS-0052EA-25A
HiC2831R2 / HiC2832R2 FS-0057EA-25A
HiC2831R3 / HiC2832R3 FS-0045EA-25D
D14 De-rating analysis FS-0045EA-26_5
D15 Fault Insertion Test results FS-0045EA-26A6

3 Product Descriptions
The devices are isolated switch amplifiers which provide the power for NAMUR sensors in the
hazardous area and convert the sensors supply current into a line fault transparent (LFT) output
signal. The input of the HiC2831* control two passive transistor outputs while each input of the
HiC2832* controls one passive transistor output with resistive output characteristic.
With DIP switch S1 and S3 the output mode can be inverted. This means that the customer can
decide whether a low or a high input current leads to a low impedance respectively high
impedance output.
Below, the block diagrams for the different versions are shown:
Figure 1 HiC2831, HiC2831R2 and HiC2831R3
Figure 2 HiC2831R1

Figure 3 HiC2832, HiC2832R2 and HiC2832R3
Figure 4 HiC2832R1
3.1.1 Description of the variant HiC2831R1 and HiC2832R1

The output impedances of HiC2831 and HiC2832 are modified for compatibility with the
Yokogawa ProSafe digital input card SDV144. The modification is a minor change of the output
circuitry where the safety relevant behaviour is unchanged.

The output impedances of HiC2831 and HiC2832 are modified for compatibility with the
RUSIO-3224 module from Honeywell. The modification is an adjustment of the current via
modified resistor values in the output circuit.

The output impedances of HiC2831 and HiC2832 are modified for compatibility with the CC-
PDIL01 module from Honeywell. The modification is an adjustment of the current via modified
resistor values in the output circuit.
4 Hardware Version Numbers

The Hardware version for all of the HiC283* devices is 05-6327C.

5 Status of the Document
5.1 Liability
prepares reports based on methods advocated in International standards. accepts
no liability whatsoever for the use of this report or for the correctness of the standards on which
the general calculation methods are based.
5.2 Releases
Contract
Report Number Revision Notes
Number
Q16/10-014-C 1005-041-C R041 V1, R1 Updated after review October 19th, 2016
Q16/10-014-C 1005-041-C R041 V1, R0 Initial version October 14th, 2016
Authors: Peter Söderblom
Reviewer: Ted Stewart, , 2016-10-19
Release status: Release
5.3 Future Enhancements

At request of client.
5.4 Release Signatures
Peter Söderblom, Senior Safety Engineer
Ted E. Stewart, CFSP, Program Development & Compliance Manager

Safety Assessment
Reliability Data Sheet: Rev. 0
Pepperl+Fuchs – Relay Module
Device Type No. KFD2-RSH-1.2D.FL* and KFD2-RSH-1.2E.L*
DOCT-5815B Functional Safety Manual 06-2018 - Exida
DOCT-5816B Functional Safety Manual 06-2018 - Exida
968/FSP
TÜV Certificate 12-2017 - TÜV Rheinland
1538.00/17
Manufacturer Model Type OS ODD ODU

KFD2-RSH-1.2D.FL2,
Pepperl+Fuchs KFD2-RSH-1.2D.FL3 A 4.53E-01 0 8.60E-04
DTS
KFD2-RSH-1.2E.L2,
Pepperl+Fuchs KFD2-RSH-1.2E.L3 A 3.00E-01 0 3.47E-03
ETS
conservative data.
Manufacturer claims compliance to Systematic Capability: SC3(*)

(*) Exida, P+F 090535 P0006 C011.2
Considerations
Values are only valid for Route 1H.
Values are taken from the attached safety manuals without change.
Bucharest, 14 – 03 – 2019 Amersfoort, 19 – 03 – 2019

George Bogdan Blanda Jeff Beijk
PROCESS AUTOMATION
ORIGINAL INSTRUCTIONS
Functional Safety
Relay Module
KFD2-RSH-1.2D.FL2,
KFD2-RSH-1.2D.FL3
ISO9001
3 PL e
Functional Safety KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3
With regard to the supply of products, the current issue of the following document is applicable: The General Terms of
Delivery for Products and Services of the Electrical Industry, published by the Central Association of the Electrical
Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most recent version as well as the
supplementary clause: "Expanded reservation of proprietorship"
Content
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Content of this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Product Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 Standards and Directives for Functional Safe. . . . . . . . . . . . . . . . . . . . 8
3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1 System Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Mounting and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.1 Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1 Internal Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Proof Test Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2018-06
3
Introduction
1 Introduction
1.1 Content of this Document
This document contains safety-relevant information for usage of the device. You need this
information to use your product throughout the applicable stages of the product life cycle.
These can include the following:
• Product identification
• Delivery, transport, and storage
• Mounting and installation
• Commissioning and operation
• Maintenance and repair
• Troubleshooting
• Dismounting
• Disposal
Note!
For full information on the product, refer to the further documentation on the Internet at
www.pepperl-fuchs.com.
The documentation consists of the following parts:

• Present document
• Instruction manual
• Manual
• Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
• EU-type examination certificate
• EU declaration of conformity
• Attestation of conformity
• Certificates
• Control drawings
• FMEDA report
• Assessment report
• Additional documents
For more information about Pepperl+Fuchs products with functional safety, see www.pepperl-
fuchs.com/sil.
2018-06
4
Introduction
1.2 Safety Information

Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance, and
dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel must
have read and understood the instruction manual and the further documentation.
Intended Use
The device is only approved for appropriate and intended use. Ignoring these instructions will
void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant safety standards.
Use the device only

• for the application described
• with specified environmental conditions
• with devices that are suitable for this safety application
Improper Use
Protection of the personnel and the plant is not ensured if the device is not used according to
its intended use.
2018-06
5
Introduction
1.3 Symbols Used

This document contains symbols for the identification of warning messages and of informative
messages.
Warning Messages
You will find warning messages, whenever dangers may arise from your actions. It is
mandatory that you observe these warning messages for your personal safety and in order to
avoid property damage.
Depending on the risk level, the warning messages are displayed in descending order as
follows:
Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.
Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.
Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and plants, or result
in their complete failure.
Informative Symbols
Note!
This symbol brings important information to your attention.
Action
This symbol indicates a paragraph with instructions. You are prompted to perform an action or
a sequence of actions.
2018-06
6
Product Description
2 Product Description
2.1 Function
General
This signal conditioner provides the galvanic isolation between field circuits and control
circuits.
The de-energized to safe (DTS) function is permitted for SIL 3 and PL e applications.
An internal fault or a line fault is signalized by the impedance change of the relay contact input
and an additional relay contact output.
A fault is signalized by LEDs and a separate collective error message output.
The output must be protected against contact welding by an internal fuse or an external current
limitation.
KFD2-RSH-1.2D.FL2
The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 60 V DC and the 24 V DC control circuit.
KFD2-RSH-1.2D.FL3
The device isolates load circuits up to 230 V AC and the 24 V DC control circuit.
2.2 Interfaces
The device has the following interfaces:
• Safety-relevant interfaces: input, output (DTS)
• Non-safety relevant interfaces: fault indication output
Note!
For corresponding connections see datasheet.
2.3 Marking
Pepperl+Fuchs GmbH
Lilienthalstraße 200, 68307 Mannheim, Germany
Internet: www.pepperl-fuchs.com
KFD2-RSH-1.2D.FL2, KFD2-RSH-1.2D.FL3 Up to SIL 3 and PL e

2018-06
7
Product Description
2.4 Standards and Directives for Functional Safe

Device-specific standards and directives
Functional safety IEC/EN 61508, part 1 – 2, edition 2010:
Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)
Machinery Directive • EN/ISO 13849, part 1, edition 2015:

2006/42/EC Safety-related parts of control systems (manufacturer)
• IEC 62061, edition 2005 + A1:2012 + A2:2015
EN 62061, edition 2005 + Cor. 2010 + A1:2013 + A2:2015:
Safety of machinery – Functional safety of safety-related
electrical, electronic and programmable electronic control
systems
2018-06
8
Planning
3 Planning
3.1 System Structure
3.1.1 Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for the functional
safety, then usually the demand rate for the safety loop is assumed to be less than once per
year.
The relevant safety parameters to be verified are:

• the PFDavg value (average Probability of dangerous Failure on Demand) and the
T1 value (proof test interval that has a direct impact on the PFDavg value)
• the SFF value (Safe Failure Fraction)
• the HFT architecture (Hardware Fault Tolerance)
3.1.2 High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher than once
per year.

• the PFH value (Probability of dangerous Failure per Hour)
• Fault reaction time of the safety system
3.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (Os + Odd) / (Os + Odd + Odu)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but is
not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction of
elements, subsystems and the complete system, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
2018-06
9
Planning
3.2 Assumptions
The following assumptions have been made during the FMEDA:
• Failure rates are constant, wear is not considered.
• Failure rate based on the Siemens standard SN29500.
• The safety-related device is considered to be of type A device with a hardware fault
tolerance of 0.
• The device will be used under average industrial ambient conditions comparable to the
classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar to
IEC/EN 60654-1 Class C with an average temperature over a long period of time of 40 ºC
may be assumed. For a higher average temperature of 60 ºC, the failure rates must be
multiplied by a factor of 2.5 based on experience. A similar factor must be used if frequent
temperature fluctuations are expected.The nominal voltage at the digital input is 24 V.
Ensure that the nominal voltage do not exceed 26.4 V under all operating conditions.
• The DO card must be able to supply a signal current of at least 100 mA.
• Observe for the high demand mode the useful lifetime limitations of the output relays.
• The relay contacts must be protected against overcurrent with a suitable current limitation.
For this purpose, either the internal fuse or an external current limitation with the same limit
values must be used.
SIL 3 application
• The device shall claim less than 10 % of the total failure rate for a SIL 3 safety loop.
• For a SIL 3 application operating in low demand mode the total PFDavg value of the
SIF (Safety Instrumented Function) should be smaller than 10-3, hence the maximum
allowable PFDavg value would then be 10-4.
• For a SIL 3 application operating in high demand mode the total PFH value of the
SIF should be smaller than 10-7 per hour, hence the maximum allowable PFH value would
then be 10-8 per hour.
• Since the safety loop has a hardware fault tolerance of 0 and it is a type A device, the
SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.
SILCL and PL application

• The device was qualified for use in safety functions acc. to IEC/EN 62061 and
EN/ISO 13849-1. The device fulfils the requirements for a SILCL of SIL 3 acc. to
IEC/EN 62061 and due to the equivalency between these standards PL e acc. to
EN/ISO 13849-1.
2018-06
10
Planning
3.3 Safety Function and Safe State

Safety Function
Whenever the input of the device is de-energized, the DTS output is not conducting.
Safe State
In the safe state of the safety function the DTS output is open (non-conducting).
Reaction Time
The reaction time is < 2 s.
2018-06
11
Planning
3.4 Characteristic Safety Values

Parameters Characteristic values
Assessment type and documentation Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function Output is de-energized (DTS, de-energized to safe)
HFT 0
SIL (SC) 3
SILCL 3
PL e
Os 1 453 FIT
Odd 0 FIT
2
Odu 0.86 FIT
Ototal (safety function)1 454 FIT
Ototal 1735 FIT
1
SFF 99.8 %
MTBF 3 66 years
MTTFd 1115 years (high)
4
DCavg 95.3 %
PTC 95.3 %
PFH 8.55 x 10-10 1/h
5
PFDavg for T1 = 1 year 5.36 x 10-6
PFDavg for T1 = 2 years 4 8.95 x 10-6
Reaction time 6 <2s
Table 3.1
1
"No effect failures" are not influencing the safety function and are therefore not included in SFF and in the failure rates of the safety
function.
2
While the diagnostic function is signaling the dangerous failure of one relay, the other two redundant relays continue to provide the
safety function. Exceptions are common cause failures that disrupt all three relays. While the diagnostic function is signaling the
failure, the probability of a dangerous undetected failure for the remaining two relays is increasing to 2.0 FIT.
3 acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. The value is calculated for one
safety function of the device.
4
Enable the internal fault detection to achieve a diagnostic coverage of 95.3 %. See chapter 5.1.
5 Since the current PTC value is < 100 % and therefore the probability of failure will increase, calculate the PFD value according to the
following formula:
PFDavg = (Odu / 2) x (PTC x T1 + (1 – PTC) x Tservice)
A service time Tservice of 10 years was assumed for the calculation of PFDavg.
6
Time between fault detection and fault reaction.
The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken from the
FMEDA report. Observe that PFD and T1 are related to each other.
The function of the devices has to be checked within the proof test interval (T1).
2018-06
12
Planning
3.5 Useful Lifetime

Although a constant failure rate is assumed by the probabilistic estimation this only applies
provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime,
the result of the probabilistic estimation is meaningless as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on the component itself and its
operating conditions – temperature in particular. For example, the electrolytic capacitors can
be very sensitive to the operating temperature.
This assumption of a constant failure rate is based on the bathtub curve, which shows
the typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that have this
constant domain and that the validity of the calculation is limited to the useful lifetime of each
component.
It is assumed that early failures are detected to a huge percentage during the installation and
therefore the assumption of a constant failure rate during the useful lifetime is valid.
However, according to IEC/EN 61508-2, a useful lifetime, based on general experience,

should be assumed. Experience has shown that the useful lifetime often lies within a range
period of about 8 to 12 years.
As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the manufacturer
and plant operator can extend the useful lifetime.
Our experience has shown that the useful lifetime of a Pepperl+Fuchs product can be higher
if the ambient conditions support a long life time, for example if the ambient temperature is
significantly below 60 °C.
Please note that the useful lifetime refers to the (constant) failure rate of the device.
The effective life time can be higher.
Derating
For the safety application, reduce the number of switching cycles or the maximum current.
A derating to 2/3 of the maximum value is adequate.
Maximum Switching Power of Output Contacts

The useful lifetime is limited by the maximum switching cycles of the relays under load
conditions.
Note!
See corresponding datasheets for further information.
2018-06
13
Mounting and Installation
4 Mounting and Installation

Mounting and Installing the Device
1. Observe the safety instructions in the instruction manual.
2. Observe the information in the manual.
3. Observe the requirements for the safety loop.
4. Connect the device only to devices that are suitable for this safety application.
5. Check the safety function to ensure the expected output behavior.
4.1 Mounting
Tighten the terminal screws with a torque of 20 Nm.
4.2 Installation
To avoid contact welding we recommend using a serial fuse in the load circuit
The device is delivered with a replaceable fuse. Replace this fuse only with a fuse up to 5 AT.
Optionally use an unfused terminal with an external current limitation.
4.3 Configuration
Note!
The device configuration via DIP switches is not safety relevant.
Configuring the Device

The device is configured via DIP switches. The DIP switches are on the side of the device.
1. De-energize the device before configuring the device.
2. Remove the device.
3. Configure the device via the DIP switches.
4. Secure the DIP switches to prevent unintentional adjustments.
5. Mount the device.
6. Connect the device again.
Note!
See corresponding datasheets for further information. 2018-06
14
4.3.1 Output Configuration

Switch Line fault detection Internal fault detection
S1 S2
Off Off disabled disabled
On Off enabled disabled
Off On not used
On On enabled enabled
Table 4.1
2018-06
15
Operation
5 Operation
Danger!
Danger to life from missing safety function
If the safety loop is put out of service, the safety function is no longer guaranteed.
• Do not deactivate the device.
• Do not bypass the safety function.
• Do not repair, modify, or manipulate the device.
Danger!
Danger to life from faulty or missing fuse protection of the relay contacts
Faulty or missing fuse protection of the relay contacts can compromise the safety function and
the electrical safety of the device.
• Protect the relay contacts with a suitable current limitation against overcurrent.
• Use the internal fuse for protection.
• If you do not use the internal fuse, use an external current limitation with the same limit
values.
Warning!
Risk of burns from hot surface
Touching the hot surface of the device can result in burns.

• Do not touch the hot surface of the device.
• Let the device surface cool down before touching the device.
• Do not cover the warning marking on the device. Do not remove the warning marking from
the device.
Operating the device

3. Use the device only with devices that are suitable for this safety application.
4. Correct any occurring safe failures within 8 hours. Take measures to maintain the safety
function while the device is being repaired.
2018-06
16
Operation
5.1 Internal Diagnosis

With enabled internal fault detection a diagnostic coverage of 95.3 % is achieved. Monitor one
of the 4 possible ways of fault detection:
• Input impedance change 1
• Fault indication output
• Collective error message output
• LED indication
The device has three output relays. Therefore, three switching operations are necessary to
ensure a complete diagnosis. You have 2 options to achieve the diagnostic coverage,
see step 2 or 3.
Internal Diagnosis Procedure
1. Enable the internal fault detection. See chapter 4.3.1.
2. Switch on the output manually three times.
or
Observe whether the output switches on three times during the normal operation.
Note!
Maintain a distance of at least 2 s between the switching processes.
3. Check the output function at periodic intervals. Switch on the output at least three times a
year as described in the steps 1 to 3.
2018-06
1
In this case only use a safety PLC with digital output and line fault detection.
17
Operation
5.2 Proof Test Procedure

According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal potential
dangerous failures that are not detected otherwise.
Check the function of the subsystem at periodic intervals depending on the applied PFDavg in
accordance with the characteristic safety values. See chapter 3.4.
It is under the responsibility of the plant operator to define the type of proof test and the interval
time period.
Conditions
KFD2-RSH-1.2D.FL2 KFD2-RSH-1.2D.FL3
Load power supply > 5 V DC > 35.5 V AC
Device power supply (LED 24 V DC 24 V DC
PWR is on)
Load 13.2 : < R < 7.3 k: 39.2 : < R < 45 k:
Current through load 14 mA < I < 1.9 A 13.5 mA AC < I < 4.9 A AC
Table 5.1
If the conditions are met, you can also check the device in the application.
Proof Test Procedure
1. Enable the internal fault detection and the line fault detection. See chapter 4.3.1.
2. Check the device as shown in the following tables.
3. After check reset the device to the necessary settings.
4. Check the correct behavior of the safety loop. Is the configuration correct?
2018-06
18
Operation
Test No. Input Output

1 V = 0 V DC between terminals 7+ and 8-
2 Wait at least 2 seconds. • LED OUT is off.
• LED FLT is off 1 .
4 Wait at least 2 seconds. • LED OUT is on.
• LED FLT is off 1.
Table 5.2 Expected test results for the proof test
1 When the FLT LED flashes, a line fault is present. Check whether the supply voltage and the connected load are in the OK area of the
line fault detection.
When the FLT LED is lit continuously, an internal fault is present. Reset the internal fault by interrupting the power supply (terminals
14+/15-).
Only if all tests are successfully done, the proof test is successful.
2018-06
19
Operation
5.3 Application Examples

5.3.1 Standard Application for Dual Pole Switching
For a switching application, the device has to be attached to the process control system and
the load the following way.
KFD2-RSH-1.2D.FL2
4+ 7+
8- V
DTS 5+
10
3
11
2-
14+
15-
24 V DC
Fault 24 V DC
Power Rail Zone 2
Figure 5.1 Standard application for dual pole switching
In the standard application, the process control system is connected to terminals 7+ and 8-.
The line fault transparency (LFT) of the safety relay must be compatible with the line fault
detection of the process control system output. Terminals 10 and 11 can be used as fault
indication output to the process control system.
The characteristic safety values valid for the standard application can be found in Table 3.1.
2018-06
20
Operation
5.3.2 Application with Fault Indication Output in the Signal Loop of the Dual
Pole Switching
Some process control systems are not working with test pulses or with specific test pulses that
do not recognize the impedance change of the device output signaling a line fault. Where the
output of the process control system can detect an open circuit in the signal loop, the fault
indication output of the device may be put in series to the input. See figure.
KFD2-RSH-1.2D.FL2
4+ 7+
8- V
DTS 5+
10
3
11
2-
14+
15-
24 V DC
Fault 24 V DC
Power Rail Zone 2
Figure 5.2 Application with fault indication output in the signal loop of the dual pole switching
If the fault indication output is open, the output relay contacts cannot be enabled. But as the
fault is detected by the process control system a suitable reaction can be planned. The user
must ensure that a suitable reaction on this detected fault is implemented.
For this application, the characteristic safety values are the same. The characteristic safety
values can be found in Table 3.1.
2018-06
21
Maintenance and Repair
6 Maintenance and Repair

Danger!
Warning!
Risk of burns from hot surface
Touching the hot surface of the device can result in burns.

• Do not touch the hot surface of the device.
• Let the device surface cool down before touching the device.
• Do not cover the warning marking on the device. Do not remove the warning marking from
the device.
Maintaining, Repairing or Replacing the Device

In case of maintenance, repair or replacement of the device, proceed as follows:
1. Implement appropriate maintenance procedures for regular maintenance of the safety loop.
2. Ensure the proper function of the safety loop, while the device is maintained, repaired or
replaced.
If the safety loop does not work without the device, shut down the application. Do not
restart the application without taking proper precautions.
Secure the application against accidental restart.
3. Do not repair a defective device. A defective device must only be repaired by the
manufacturer.
4. Replace a defective device only by a device of the same type.
2018-06
22
List of Abbreviations
7 List of Abbreviations
ESD Emergency Shutdown
FIT Failure In Time in 10-9 1/h
FMEDA Failure Mode, Effects, and Diagnostics Analysis
Os Probability of safe failure
Odd Probability of dangerous detected failure
Odu Probability of dangerous undetected failure
Ono effect Probability of failures of components in the safety loop that have no effect on the safety
function. The no effect failure is not used for calculation of SFF.
Onot part Probability of failure of components that are not in the safety loop
Ototal (safety function) Probability of failure of components that are in the safety loop
MTBF Mean Time Between Failures
MTTR Mean Time To Restoration
PCS Process Control System
PFDavg Average Probability of dangerous Failure on Demand
PFH Average frequency of dangerous failure
PLC Programmable Logic Controller
PTC Proof Test Coverage
SFF Safe Failure Fraction
SIL (SC) Safety Integrity Level (Systematic Capability)
SIS Safety Instrumented System
T1 Proof Test Interval
Tservice Time from start of operation to putting the device out of service
DTS De-energized To Safe (sicherheitsgerichtetes Abschalten)
ETS Energized To Safe (sicherheitsgerichtetes Anschalten)
B10d Number of switching cycles until 10 % of the components fail dangerously
DC Diagnostic Coverage of dangerous faults
MTTFd Mean Time To dangerous Failure
PL Performance Level
SILCL SIL Claim Limit (for a subsystem)
2018-06
23
PROCESS AUTOMATION –
PROTECTING YOUR PROCESS
Worldwide Headquarters
Pepperl+Fuchs GmbH
68307 Mannheim · Germany
Tel. +49 621 776-0
E-mail: info@de.pepperl-fuchs.com
For the Pepperl+Fuchs representative

closest to you check www.pepperl-fuchs.com/contact
www.pepperl-fuchs.com
Subject to modifications
Copyright PEPPERL+FUCHS • Printed in Germany DOCT-5815B
06/2018
PROCESS AUTOMATION
MANUAL
Functional Safety
Relay Module
KFD2-RSH-1.2E.L2,
KFD2-RSH-1.2E.L3
ISO9001
3
Functional Safety KFD2-RSH-1.2E.L2, KFD2-RSH-1.2E.L3
With regard to the supply of products, the current issue of the following document is applicable: The General Terms of
Delivery for Products and Services of the Electrical Industry, published by the Central Association of the Electrical
Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most recent version as well as the
supplementary clause: "Expanded reservation of proprietorship"
Content
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Content of this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Product Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4 Standards and Directives for Functional Safe. . . . . . . . . . . . . . . . . . . . 7
3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 System Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Mounting and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.1 Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1 Internal Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2 Proof Test Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3 Application Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2018-06
3
Introduction
1 Introduction
1.1 Content of this Document
This document contains information for usage of the device in functional safety-related
applications. You need this information to use your product throughout the applicable stages of
the product life cycle. These can include the following:
• Product identification
• Delivery, transport, and storage
• Mounting and installation
• Commissioning and operation
• Maintenance and repair
• Troubleshooting
• Dismounting
• Disposal
Note!
This document does not substitute the instruction manual.
Note!
For full information on the product, refer to the instruction manual and further documentation
on the Internet at www.pepperl-fuchs.com.
The documentation consists of the following parts:

• Present document
• Instruction manual
• Manual
• Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
• EU-type examination certificate
• EU declaration of conformity
• Attestation of conformity
• Certificates
• Control drawings
• FMEDA report
• Assessment report
• Additional documents
For more information about Pepperl+Fuchs products with functional safety, see www.pepperl-
fuchs.com/sil.
2018-06
4
Introduction
1.2 Safety Information

Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance, and
dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel must
have read and understood the instruction manual and the further documentation.
Intended Use
The device is only approved for appropriate and intended use. Ignoring these instructions will
void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant safety standards.
Use the device only

• for the application described
• with specified environmental conditions
• with devices that are suitable for this safety application
Improper Use
Protection of the personnel and the plant is not ensured if the device is not used according to
its intended use.
2018-06
5
Introduction
1.3 Symbols Used

This document contains symbols for the identification of warning messages and of informative
messages.
Warning Messages
You will find warning messages, whenever dangers may arise from your actions. It is
mandatory that you observe these warning messages for your personal safety and in order to
avoid property damage.
Depending on the risk level, the warning messages are displayed in descending order as
follows:
Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.
Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.
Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and plants, or result
in their complete failure.
Informative Symbols
Note!
This symbol brings important information to your attention.
Action
This symbol indicates a paragraph with instructions. You are prompted to perform an action or
a sequence of actions.
2018-06
6
Product Description
2 Product Description
2.1 Function
General
This signal conditioner provides the galvanic isolation between field circuits and control
circuits.
The energized to safe (ETS) function is permitted for SIL 3 applications.
An internal fault or a line fault is signalized by the impedance change of the relay contact input
and an additional relay contact output.
A fault is signalized by LEDs and a separate collective error message output.
KFD2-RSH-1.2E.L2
The device isolates load circuits up to 60 V DC and the 24 V DC control circuit.
KFD2-RSH-1.2E.L3
The device isolates load circuits up to 230 V AC and the 24 V DC control circuit.
2.2 Interfaces
The device has the following interfaces:
• Safety-relevant interfaces: input, output (ETS)
• Non-safety relevant interfaces: fault indication output
Note!
For corresponding connections see datasheet.
2.3 Marking
Pepperl+Fuchs GmbH
Lilienthalstraße 200, 68307 Mannheim, Germany
Internet: www.pepperl-fuchs.com
KFD2-RSH-1.2E.L2, KFD2-RSH-1.2E.L3 Up to SIL 3
2.4 Standards and Directives for Functional Safe

Device-specific standards and directives
Functional safety IEC/EN 61508, part 1 – 2, edition 2010:
Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)
2018-06
7
Planning
3 Planning
3.1.1 Low Demand Mode of Operation
If there are two control loops, one for the standard operation and another one for the functional
safety, then usually the demand rate for the safety loop is assumed to be less than once per
year.

• the PFDavg value (average Probability of dangerous Failure on Demand) and the
T1 value (proof test interval that has a direct impact on the PFDavg value)
3.1.2 High Demand or Continuous Mode of Operation
If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher than once
per year.

• the PFH value (Probability of dangerous Failure per Hour)
• Fault reaction time of the safety system
3.1.3 Safe Failure Fraction
The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (Os + Odd) / (Os + Odd + Odu)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but is
not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction of
elements, subsystems and the complete system, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
2018-06
8
Planning
3.2 Assumptions
The following assumptions have been made during the FMEDA:
• Failure rates are constant, wear is not considered.
• Failure rate based on the Siemens standard SN29500.
• The safety-related device is considered to be of type A device with a hardware fault
tolerance of 0.
• The device will be used under average industrial ambient conditions comparable to the
classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar to
IEC/EN 60654-1 Class C with an average temperature over a long period of time of 40 ºC
may be assumed. For a higher average temperature of 60 ºC, the failure rates must be
multiplied by a factor of 2.5 based on experience. A similar factor must be used if frequent
temperature fluctuations are expected.
• The nominal voltage at the digital input is 24 V. Ensure that the nominal voltage do not
exceed 26.4 V under all operating conditions.
• The DO card must be able to supply a signal current of at least 100 mA.
• Observe for the high demand mode the useful lifetime limitations of the output relays.
SIL 3 application
• The device shall claim less than 10 % of the total failure rate for a SIL 3 safety loop.
• For a SIL 3 application operating in low demand mode the total PFDavg value of the
SIF (Safety Instrumented Function) should be smaller than 10-3, hence the maximum
allowable PFDavg value would then be 10-4.
• For a SIL 3 application operating in high demand mode the total PFH value of the
SIF should be smaller than 10-7 per hour, hence the maximum allowable PFH value would
then be 10-8 per hour.
• For a SIL 3 application operating in high demand mode the internal fault detection and the
line fault detection must be enabled. The fault indication output, the collective error
message output, or the input impedance change must be monitored. In case of detected
faults the necessary reaction must be introduced.
• If the device is used in applications for high demand mode, perform a risk analysis
regarding systematic faults and implement suitable measures to control these systematic
faults. For example, this can be the following measures:
• usage of redundant power supplies,
• monitoring of input signal, wiring and connections for short circuits and open circuits,
• monitoring the output for open circuits.
• Since the safety loop has a hardware fault tolerance of 0 and it is a type A device,
the SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.
SILCL and PL application

• The standards IEC/EN 62061 and EN/ISO 13849-1 require that the safety device is
implemented according to the idle current principle. As the device is implemented following
the working current principle, no safety classification according to IEC/EN 62061 and
EN/ISO 13849-1 was carried out. If you use the device in machinery safety applications,
assess the specific application and show that an equivalent safety level will be achieved.
2018-06
9
Planning

Safety Function
Whenever the input of the device is energized, the ETS output is conducting.
Safe State
In the safe state of the safety function the ETS output is closed (conducting).
Reaction Time
The reaction time is < 2 s.
2018-06
10
Planning

Parameters Characteristic values
Assessment type and documentation Full assessment
Device type A
Mode of operation Low demand mode or high demand mode
Safety function Output is energized (ETS, energized to safe)
HFT 0
SIL (SC) 3
1
Os 300 FIT
Odd 0 FIT
Odu 2 3.47 FIT
1
Ototal (safety function) 304 FIT
Ototal 2052 FIT
SFF 1 98.8 %
3
MTBF 56 years
4
DCavg 81.2 %
PTC 81.2 %
PFH 3.47 x 10-9 1/h
PFDavg for T1 = 1 year 5 4.1 x 10-5
6
Reaction time <2s
Table 3.1
1 "No effect failures" are not influencing the safety function and are therefore not included in SFF and in the failure rates of the safety
function.
2
While the diagnostic function is signaling the dangerous failure of one relay, the other two redundant relays continue to provide the
safety function. Exceptions are common cause failures that disrupt all three relays. While the diagnostic function is signaling the
failure, the probability of a dangerous undetected failure for the remaining two relays is increasing to 11.4 FIT.
3
acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. The value is calculated for one
safety function of the device.
4
Enable the internal fault detection to achieve a diagnostic coverage of 81.2 %. See chapter 5.1.
5 Since the current PTC value is < 100 % and therefore the probability of failure will increase, calculate the PFD value according to the
following formula:
PFDavg = (Odu / 2) x (PTC x T1 + (1 – PTC) x Tservice)
A service time Tservice of 10 years was assumed for the calculation of PFDavg.
6
Time between fault detection and fault reaction.
The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken from the
FMEDA report. Observe that PFD and T1 are related to each other.
The function of the devices has to be checked within the proof test interval (T1).
2018-06
11
Planning
3.5 Useful Lifetime

Although a constant failure rate is assumed by the probabilistic estimation this only applies
provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime,
the result of the probabilistic estimation is meaningless as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on the component itself and its
operating conditions – temperature in particular. For example, the electrolytic capacitors can
be very sensitive to the operating temperature.
This assumption of a constant failure rate is based on the bathtub curve, which shows the
typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that have this
constant domain and that the validity of the calculation is limited to the useful lifetime of each
component.
It is assumed that early failures are detected to a huge percentage during the installation and
therefore the assumption of a constant failure rate during the useful lifetime is valid.
However, according to IEC/EN 61508-2, a useful lifetime, based on general experience,

should be assumed. Experience has shown that the useful lifetime often lies within a range
period of about 8 to 12 years.
As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the manufacturer
and plant operator can extend the useful lifetime.
Our experience has shown that the useful lifetime of a Pepperl+Fuchs product can be higher if
the ambient conditions support a long life time, for example if the ambient temperature is
significantly below 60 °C.
Please note that the useful lifetime refers to the (constant) failure rate of the device. The
effective life time can be higher.
Derating
For the safety application, reduce the number of switching cycles or the maximum current. A
derating to 2/3 of the maximum value is adequate.

The useful lifetime is limited by the maximum switching cycles of the relays under load
conditions.
Note!
2018-06
12
4 Mounting and Installation

Mounting and Installing the Device
3. Observe the requirements for the safety loop.
4. Connect the device only to devices that are suitable for this safety application.
5. Check the safety function to ensure the expected output behavior.
4.1 Mounting
Tighten the terminal screws with a torque of 20 Nm.
4.2 Configuration
Note!
The device configuration via DIP switches is not safety relevant.
Configuring the Device

The device is configured via DIP switches. The DIP switches are on the side of the device.
1. De-energize the device before configuring the device.
2. Remove the device.
3. Configure the device via the DIP switches.
4. Secure the DIP switches to prevent unintentional adjustments.
5. Mount the device.
6. Connect the device again.
Note!
4.2.1 Output Configuration

Switch Line fault detection Internal fault detection
S1 S2
Off Off disabled disabled
On Off enabled disabled
Off On not used
On On enabled enabled
Table 4.1
2018-06
13
Operation
5 Operation
Danger!
Operating the device

3. Use the device only with devices that are suitable for this safety application.
4. Correct any occurring safe failures within 8 hours. Take measures to maintain the safety
function while the device is being repaired.
5.1 Internal Diagnosis

With enabled internal fault detection a diagnostic coverage of 81.2 % is achieved. Monitor one
of the 4 possible ways of fault detection:
• Input impedance change 1
• Fault indication output
• Collective error message output
• LED indication
The device has three output relays. Therefore, three switching operations are necessary to
ensure a complete diagnosis. You have 2 options to achieve the diagnostic coverage,
see step 2 or 3.
Internal Diagnosis Procedure
1. Enable the internal fault detection. See chapter 4.2.1.
2. Switch on the output manually three times.
or
Observe whether the output switches on three times during the normal operation.
Note!
Maintain a distance of at least 2 s between the switching processes.
3. Check the output function at periodic intervals. Switch on the output at least three times
a year as described in the steps 1 to 3.
2018-06
1
In this case only use a safety PLC with digital output and line fault detection.
14
Operation

According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal potential
dangerous failures that are not detected otherwise.
Check the function of the subsystem at periodic intervals depending on the applied PFDavg in
accordance with the characteristic safety values. See chapter 3.4.
The internal fault detection may be used to implement a proof test. The diagnostic coverage is
then counting as the proof test coverage. See chapter 3.4.
It is under the responsibility of the plant operator to define the type of proof test and the interval
time period.
Conditions
KFD2-RSH-1.2E.L2 KFD2-RSH-1.2E.L3
Load power supply > 5 V DC > 35.5 V AC
Device power supply (LED 24 V DC 24 V DC
PWR is on)
Load 13.2 : < R < 7.3 k: 39.2 : < R < 45 k:
Current through load 14 mA < I < 1.9 A 13.5 mA AC < I < 4.9 A AC
Table 5.1
If the conditions are met, you can also check the device in the application.
2018-06
15
Operation
Proof Test Procedure

1. Enable the internal fault detection and the line fault detection. See chapter 4.2.1.
2. Check the device as shown in the following tables.
3. After check reset the device to the necessary settings.
4. Check the correct behavior of the safety loop. Is the configuration correct?
Test No. Input Output

• LED FLT is off 1 .
Table 5.2 Expected test results for the proof test
1 When the FLT LED flashes, a line fault is present. Check whether the supply voltage and the connected load are in the OK area of the
line fault detection.
When the FLT LED is lit continuously, an internal fault is present. Reset the internal fault by interrupting the power supply (terminals
14+/15-).
Only if all tests are successfully done, the proof test is successful.
2018-06
16
Operation
5.3 Application Example

5.3.1 Standard Application for Dual Pole Switching
For a switching application, the device has to be attached to the process control system and
the load the following way.
KFD2-RSH-1.2E.L2
5+ 7+
ETS 8- V
3 10
11
2-
14+
15-
24 V DC
Fault 24 V DC
Power Rail Zone 2
Figure 5.1 Standard application for dual pole switching
In the standard application, the process control system is connected to terminals 7+ and 8-.
The line fault transparency (LFT) of the safety relay must be compatible with the line fault
detection of the process control system output. Terminals 10 and 11 can be used as fault
indication output to the process control system.
The characteristic safety values valid for the standard application can be found in Table 3.1
2018-06
17
Operation
5.3.2 Application with Fault Indication Output in the Signal Loop of the Dual
Pole Switching
Some process control systems are not working with test pulses or with specific test pulses that
do not recognize the impedance change of the device output signaling a line fault. Where the
output of the process control system can detect an open circuit in the signal loop, the fault
indication output of the device may be put in series to the input. See figure.
KFD2-RSH-1.2E.L2
5+ 7+
ETS 8- V
3 10
11
2-
14+
15-
24 V DC
Fault 24 V DC
Power Rail Zone 2
Figure 5.2 Application with fault indication output in the signal loop of the dual pole switching
If the fault indication output is open, the output relay contacts cannot be enabled. But as the
fault is detected by the process control system a suitable reaction can be planned. The user
must ensure that a suitable reaction on this detected fault is implemented.
For this application, the characteristic safety values are the same. The characteristic safety
values can be found in Table 3.1.
Warning!
Possible failure of the safety function
If a fault is detected, all output relay contacts remain open.
Take suitable measures in case the diagnosis is triggered. Take suitable measures to sustain
the safety function via the process control system.
2018-06
18
Maintenance and Repair
6 Maintenance and Repair

Danger!
Maintaining, Repairing or Replacing the Device

In case of maintenance, repair or replacement of the device, proceed as follows:
1. Implement appropriate maintenance procedures for regular maintenance of the safety loop.
2. Ensure the proper function of the safety loop, while the device is maintained, repaired or
replaced.
If the safety loop does not work without the device, shut down the application. Do not
restart the application without taking proper precautions.
Secure the application against accidental restart.
3. Do not repair a defective device. A defective device must only be repaired by the
manufacturer.
4. Replace a defective device only by a device of the same type.
2018-06
19
List of Abbreviations
7 List of Abbreviations
ESD Emergency Shutdown
FIT Failure In Time in 10-9 1/h
FMEDA Failure Mode, Effects, and Diagnostics Analysis
Os Probability of safe failure
Odd Probability of dangerous detected failure
Odu Probability of dangerous undetected failure
Ono effect Probability of failures of components in the safety loop that have no effect on the safety
function. The no effect failure is not used for calculation of SFF.
Onot part Probability of failure of components that are not in the safety loop
Ototal (safety function) Probability of failure of components that are in the safety loop
MTBF Mean Time Between Failures
MTTR Mean Time To Restoration
PCS Process Control System
PFDavg Average Probability of dangerous Failure on Demand
PFH Average frequency of dangerous failure
PLC Programmable Logic Controller
SIL (SC) Safety Integrity Level (Systematic Capability)
T1 Proof Test Interval
Tservice Time from start of operation to putting the device out of service
DTS De-energized To Safe (sicherheitsgerichtetes Abschalten)
ETS Energized To Safe (sicherheitsgerichtetes Anschalten)
2018-06
20
Notes
2018-06
21
Pepperl+Fuchs GmbH
Tel. +49 621 776-0

closest to you check www.pepperl-fuchs.com/contact
Subject to modifications
Copyright PEPPERL+FUCHS • Printed in Germany DOCT-5816B
06/2018
Safety Assessment
Device Front Sheet: Revision 4
Pepperl+Fuchs - Relay Module
Device Type No. KFD0-RSH-1.4S.PS2
225538 Safety Manual SIL 04-01-2011 - P+F
P+F 100397R1C
Certificate 03-05-2011 - Exida
P0006 C04.2
Manufacturer Model Type S DD DU

KFD0-RSH-1.4S.PS2
Pepperl+Fuchs A 3.50E-02 0 1.83E-03
DTS
KFD0-RSH-1.4S.PS2
Pepperl+Fuchs A 5.71E-02 0 7.10E-03
ETS
conservative data.
Manufacturer claims compliance to Systematic Capability: SC3(*)

(*)Exida, P+F 100397R1C P0006 C04.2.
Considerations
The attached report clearly refers to IEC61508:2000 (see 1.4)
Currently the reference should be to IEC61508: 2010 and consequently some failures that have been
included in the total should be left out of the calculation (this results in the value of S above).
The failures that have been left out of the calculation were established in a discussion with P&F in
November 2010; however they did not find their way into above report of April 2011.
Amersfoort, 14 – 08 – 2018 Amersfoort, 14 – 08 – 2018

Rob van der Harst Jeff Beijk
PROCESS AUTOMATION
SAFETY MANUAL SIL

RELAY MODULE
KFD0-RSH-1.4S.PS2
ISO9001
3
SAFETY MANUAL SIL KFD0-RSH-1.4S.PS2
With regard to the supply of products, the current issue of the following document is applicable: The
General Terms of Delivery for Products and Services of the Electrical Industry, published by the
Central Association of the Electrical Industry (Zentralverband Elektrotechnik und Elektroindustrie
(ZVEI) e.V.) in its most recent version as well as the supplementary clause: "Expanded reservation
of proprietorship"
Contents
1 Introduction......................................................................... 4
1.1 General Information .......................................................................................4
1.2 Intended Use ................................................................................................4
1.3 Manufacturer Information ..............................................................................5
1.4 Relevant Standards and Directives ...............................................................5
2 Planning .............................................................................. 6
2.1 System Structure...........................................................................................6
2.1.1 Low Demand Mode .................................................................................6
2.1.2 High Demand Mode .................................................................................6
2.2 Assumptions ................................................................................................7
2.3 Safety Function and Safe State .....................................................................8
2.4 Characteristic Safety Values .........................................................................9
3 Safety Recommendation.................................................. 10
3.1 Interfaces ....................................................................................................10
3.2 Configuration ..............................................................................................10
3.3 Useful Life Time ..........................................................................................10
3.4 Installation and Commissioning ..................................................................11
4 Proof Test .......................................................................... 12

4.1 Proof Test Procedure ..................................................................................12
5 Abbreviations.................................................................... 16
225538 2011-04
3
Introduction
1 Introduction
1.1 General Information
This manual contains information for application of the device in functional safety
related loops.
The corresponding data sheets, the operating instructions, the system
description, the Declaration of Conformity, the EC-Type-Examination Certificate,
the Functional Safety Assessment and applicable Certificates (see data sheet)
are integral parts of this document.
The documents mentioned are available from www.pepperl-fuchs.com or by
contacting your local Pepperl+Fuchs representative.
Mounting, commissioning, operation, maintenance and dismounting of any
devices may only be carried out by trained, qualified personnel. The instruction
manual must be read and understood.
When it is not possible to correct faults, the devices must be taken out of service
and action taken to protect against accidental use. Devices should only be
repaired directly by the manufacturer. De-activating or bypassing safety functions
or failure to follow the advice given in this manual (causing disturbances or
impairment of safety functions) may cause damage to property, environment or
persons for which Pepperl+Fuchs GmbH will not be liable.
The devices are developed, manufactured and tested according to the relevant
safety standards. They must only be used for the applications described in the
instructions and with specified environmental conditions, and only in connection
with approved external devices.
1.2 Intended Use

This signal conditioner is a loop powered safety relay module with a logic input
and two different relay outputs:
It can be used as an interface in output loops for fire and gas systems classified as
SIL3. The safe state in this application is energized to safe (ETS). Output I with
two relays in parallel must be used, no fuse available.
It can also be used as an interface in output loops for ESD (Emergency Shut
Down) systems classified as SIL3. The safe state in this application is
de-energized to safe (DTS). Output II with two relays in series must be used. An
additional fuse in series to the relay contacts is available (see chapter 3).
With both outputs in combination a non safety application for dual pole switching
(DPS) is possible.
Additionally a test input for proof tests is available. The proof test checks if each
single relay is working correctly.
The device is usually mounted on a DIN rail in cabinets with access for qualified
225538 2011-04
personnel only.
4
Introduction
1.3 Manufacturer Information

Pepperl+Fuchs GmbH
Lilienthalstrasse 200
68307 Mannheim/Germany
KFD0-RSH-1.4S.PS2
Up to SIL3 (for DTS), up to SIL3 (for ETS)
1.4 Relevant Standards and Directives

Device specific standards and directives
■ Functional safety IEC 61508 part 1 – 7, edition 2000:
Standard of functional safety of electrical/electronic/programmable electronic

safety-related systems (product manufacturer)
■ Electromagnetic compatibility:
- EN 61326-1:2006
- NE 21:2006
System specific standards and directives

■ Functional safety IEC 61511 part 1 – 3, edition 2003:
Standard of functional safety: safety instrumented systems for the process

industry sector (user)
225538 2011-04
5
Planning
2 Planning
2.1.1 Low Demand Mode
If there are two loops, one for the standard operation and another one for the
functional safety, then usually the demand rate for the safety loop is assumed to
be less than once per year.
■ the PFDavg value (average Probability of Failure on Demand) and Tproof
(proof test interval that has a direct impact on the PFDavg)
■ the SFF value (Safe Failure Fraction)
■ the HFT architecture (Hardware Fault Tolerance architecture)
2.1.2 High Demand Mode
If there is only one loop, which combines the standard operation and safety
related operation, then usually the demand rate for this loop is assumed to be
higher than once per year.
■ PFH (Probability of dangerous Failure per Hour)
■ Fault reaction time of the safety system
■ the SFF value (Safe Failure Fraction)
■ the HFT architecture (Hardware Fault Tolerance architecture)
225538 2011-04
6
Planning
2.2 Assumptions
The following assumptions have been made during the FMEDA analysis:
■ Failure rates are constant, wear out mechanisms are not included.
■ The stress levels are average for an industrial environment and can be
compared to the Ground Fixed Classification of MIL-HNBK-217F.
Alternatively, the assumed environment is similar to:
• IEC 60654-1 Class C (sheltered location) with temperature limits within
the manufacturer's rating and an average temperature over a long period
of time of 40 ºC. Humidity levels are assumed within manufacturer's
rating. For a higher average temperature of 60 ºC, the failure rates should
be multiplied with an experience based factor of 2.5. A similar multiplier
should be used if frequent temperature fluctuation must be assumed.
■ Failure rate based on the Siemens SN29500 data base.
■ It was assumed that the appearance of a safe error (e. g. output in safe state)
would be repaired within 8 hours.
■ During the absence of the device for repairing, measures have to be taken to
ensure the safety function (for example: substitution by an equivalent device).
■ For high currents and high ambient temperature the de-rating given in the data
sheet needs to be considered.
■ The input of the device must be connected to a safety PLC which has
minimum the SIL needed in the loop.
■ The device shall claim less than 10 % of the total failure budget for a
SIL3 safety loop.
■ For a SIL3 application operating in Low Demand Mode the total PFDavg value
of the SIF (Safety Instrumented Function) should be smaller than 10-3, hence
the maximum allowable PFDavg value would then be 10-4.
■ For a SIL3 application operating in High Demand Mode of operation the total
PFH value of the SIF should be smaller than 10-7 per hour, hence the
maximum allowable PFH value would then be 10-8 per hour.
■ Since the circuit has a Hardware Fault Tolerance of 0 and it is a type A
component, the SFF must be > 90 % according to table 2 of IEC 61508-2 for
SIL3 (sub)system.
225538 2011-04
7
Planning

DTS
Safety Function
The safety function of the device is defined: Whenever the input of the device is
de-energized, the DTS output is not conducting.
Safe State
For the DTS safety function the safe state is defined as the DTS output being open
(not conducting).
Reaction Time
The reaction time is < 20 ms.
ETS
Safety Function
The safety function of the device is defined: Whenever the input of the device is
energized, the ETS output is conducting.
Safe State
For the ETS safety function the safe state is defined as the ETS output being
closed (conducting).
Reaction Time
The reaction time is < 20 ms.
DPS
The dual pole switching application is no safety application.
General
For all applications the maximum switching frequency is limited to 10 Hz.
225538 2011-04
8
Planning
Parameters acc. to IEC 61508 Variables

Assessment type and Full assessment
documentation
Pepperl+Fuchs FMEDA report 1 FS-0042EA-20A
Device type A
Demand mode Low Demand Mode or High Demand Mode
Safety function 2 ETS 4 DTS
HFT 0 0
SIL 3 3
λsd + λsu 139.7 FIT 144.77 FIT
λdd 0 FIT 0 FIT
λdu 7.1 FIT 1.83 FIT
λtotal (safety function) 146.6 FIT 146.6 FIT
SFF 95.2 % 98.7 %
MTBF 3 639 years 560 years
PFH 7.1 x 10-9 1/h 1.83 x 10-9 1/h
PFDavg for T1 = 1 year 3.1 x 10-5 8.01 x 10-6
Tproof max. 3 years 12 years
Reaction time < 20 ms
1
Pepperl+Fuchs documentation number
2
The device can be used in two safety functions, ETS (energized to safe) and DTS (de-energized to safe).
3 acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h.
4
For ETS in SIL2 applications no proof test has to be carried out, the calculated proof time is higher than the
useful time (Tproof max. for ETS SIL2 is 32 years).
The characteristic safety values like PFD/PFH, SFF, HFT and Tproof are taken from
the SIL report/FMEDA report. Please note, PFD and Tproof are related to each
other.
The function of the devices has to be checked within the proof test interval
(Tproof).
225538 2011-04
9
Safety Recommendation
3 Safety Recommendation
3.1 Interfaces
The device has the following interfaces. For corresponding terminals see data
sheet.
■ Safety relevant interfaces: input, output I (ETS), output II (DTS)
■ To avoid contact welding in DTS application we recommend to use a serial
fuse in the load circuit. This can be the internal fuse F1 or any external fuse of
max. 5 A nominal value.
■ Test input interface may not be used during normal operation (only for proof
test)
3.2 Configuration
A configuration of the device is not necessary and not possible.
ETS, DTS and DPS can be selected by using the referring terminals. See data
sheet. The fuse in delivery status (2.5 A) can be changed to max 5 A. Please note
the temperature derating according to the data sheet.
3.3 Useful Life Time

Although a constant failure rate is assumed by the probabilistic estimation this
only applies provided that the useful life time of components is not exceeded.
Beyond this useful life time, the result of the probabilistic calculation is
meaningless as the probability of failure significantly increases with time. The
useful life time is highly dependent on the component itself and its operating
conditions – temperature in particular (for example, the electrolytic capacitors can
be very sensitive to the working temperature).
This assumption of a constant failure rate is based on the bathtub curve, which
shows the typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that
have this constant domain and that the validity of the calculation is limited to the
useful life time of each component.
It is assumed that early failures are detected to a huge percentage during the
installation period and therefore the assumption of a constant failure rate during
the useful life time is valid.
However, according to IEC 61508-2, a useful life time, based on experience,
should be assumed. Experience has shown that the useful life time often lies
within a range period of about 8 ... 12 years.
225538 2011-04
10
Safety Recommendation
Our experience has shown that the useful life time of a Pepperl+Fuchs product
can be higher
■ if there are no components with reduced life time in the safety path (like
electrolytic capacitors, relays, flash memory, opto coupler) which can produce
dangerous undetected failures and
■ if the ambient temperature is significantly below 60 °C.
Please note that the useful life time refers to the (constant) failure rate of the
device. The effective life time can be higher.
The useful life time is limited by the maximum switching cycles under load
conditions. You can see the relationship between the maximum switching power
and the load conditions in the diagram below.
Resistive load Resistive load

DC AC
I (A)
2 max. 105
switching cycles
1
0.6 max. 3 x 104
0.5 switching cycles
0.3
0.2
0.1
0 10 20 50 100 200 253 U (V)
30 115 220
Figure 3.1
3.4 Installation and Commissioning

Installation has to consider all aspects regarding the SIL level of the loop. During
installation or replacement of the device the loop has to shut down. Devices have
to be replaced by the same type of devices.
225538 2011-04
11
Proof Test
4 Proof Test
According to IEC 61508-2 a recurring proof test shall be undertaken to reveal
potential dangerous fails that are otherwise not detected by diagnostic test.
The functionality of the subsystem must be verified at periodic intervals
depending on the applied PFDavg in accordance with the data provided in see
chapter 2.4.
It is under the responsibility of the operator to define the type of proof test and the
interval time period.
The ancillary equipment required:
■ A digital multimeter (without special accuracy) will be used as ohmmeter
(mid range recommended) to check the relay outputs. Closed contacts are
shown with 0 Ω (low impedance), open contacts are shown with OL
(overload/high impedance).
■ Power supply set at nominal voltage of 24 V DC
Procedure:
For the proof test five tests have to be done as shown in the following table and
pictures:
Test No. Input or Test Input Output (mA)
1 Vtest input = 24 V DC ■ DTS output (terminals 5, 6): OL (overload)

between terminals 10+, 11- ■ ETS output (terminals 2, 3): shows 0 Ω
■ Red LED TST1 is flashing.
between terminals 11-, 12+ ■ ETS output (terminals 2, 3): shows 0 Ω
■ Red LED TST2 is flashing.
3 Vtest input = 24 V DC ■ DTS output (terminals 5, 6): shows 0 Ω
between terminals 10+, 11- and ■ ETS output (terminals 2, 3): shows 0 Ω
between terminals 11-, 12+ ■ Both red LEDs are flashing.
between terminals 10+, 11- and ■ ETS output (terminals 2, 3): OL (overload)
between terminals 11-, 12+ ■ Both red LEDs are off.
5 Vinput = 24 V DC ■ DTS output (terminals 5, 6): shows 0 Ω
between terminals 7+ and 8- and with changed ■ ETS output (terminals 2, 3): shows 0 Ω
input polarity between terminals 7-, 8+ ■ Yellow LED is on.
Table 4.1 Expected test results for a successful proof test

225538 2011-04
12
Proof Test
Multimeter
(Ω )
Multimeter
(Ω ) 4
10+
5
24 V
6 11-
12
Figure 4.1 Proof test set-up for KFD0-RSH-1.4S.PS2, test 1
Multimeter
(Ω )
Multimeter
(Ω ) 4
10
5
6 11-
24 V
12+

225538 2011-04
13
Proof Test
Multimeter
(Ω )
Multimeter
(Ω ) 4
10+
5
24 V
6 11-
24 V
12+
Multimeter
(Ω )
Multimeter
(Ω ) 4
10+
5
0V
6 11-
0V
12+

225538 2011-04
14
Proof Test
Multimeter
(Ω )
2 7
24 V
3 8(+/-)
Multimeter
(Ω ) 4
5
6

Only if all tests are successfully done, the proof test is successfull.
225538 2011-04
15
Abbreviations
5 Abbreviations
FMEDA Failure Mode, Effects and Diagnostics Analysis
PFDavg Average Probability of Failure on Demand
PFH Probability of dangerous Failure per Hour
Tproof Proof Test Interval
DPS Dual Pole Switching

DTS De-energized To Safe State
ESD Emergency Shut Down
ETS Energized To Safe State
225538 2011-04
16
225538 2011-04
Notes
17
Pepperl+Fuchs GmbH
Tel. +49 621 776-0

closest to you check www.pepperl-fuchs.com/pfcontact
Subject to modifications 225538 TDOCT-2052CENG
Copyright PEPPERL+FUCHS • Printed in Germany 04/2011
C E R T I F I C A T E / C E R T I F I C A T / Z E R T I F I K A T / 合格証
C E R T I F I C AT E
P+F 100397R1C P0006 C04.2
exida Certification S.A. hereby confirms that the
Relay Module KFD0-RSH-1.4S.PS2

Product Version: 05-6166
Pepperl+Fuchs GmbH
Mannheim, Germany
Has been assessed per the relevant requirements of
IEC 61508:2000
Parts 1 - 2, and meets requirements providing a level of integrity to
Systematic Integrity : SIL 3 Capable

Random Integrity : SIL 3 Capable
Safety function
The Relay Module KFD0-RSH-1.4S.PS2 shall provide the following two Type A safety functions for
applications in low or high demand mode of operation:
1. DTS - De-energize To trip (Safe) the relay output when the input is de-energized..
2. ETS - Energize To activate (Safe) the relay output when the input is energized.
Application Restrictions
The unit must be properly designed and validated in a Safety Instrumented Function per the
requirements in the Safety Manual.
Assessors Certifying Assessor
Date: 3 May 2011
exida Certification SA, Nyon, Switzerland
Page 1 (2)
C E R T I F I C A T E / C E R T I F I C A T / Z E R T I F I K A T / 合格証
Systematic Integrity: SIL 3 Capable
SIL 3 Capability
The product has met manufacturer design process requirements of Safety Integrity Level
(SIL) 3. These are intended to achieve sufficient integrity against systematic errors of design by
the manufacturer. A Safety Instrumented Function (SIF) designed with this product must not
be used at a SIL level higher than the statement.
Random Integrity: SIL 3 Capable

Summary for KFD0-RSH-1.4S.PS2
Type A device,
IEC 61508 failure rates:
Failure category DTS ETS
Fail Safe (λSAFE) 144.77 139.5
Fail Dangerous Detected (λDD) 0 0
Fail Dangerous Undetected (λDU) 1.83 7.1
Total failure rate (safety function) 146.6 146.6

SFF 98.7 % 95.2 %
All failure rates are given in FIT=10-9/h
SIL Verification:
The Safety Integrity Level (SIL) of an entire Safety Instrumented Function (SIF) must be verified
via a calculation of PFDAVG / PFH considering the architecture, proof test interval, proof test
effectiveness, any automatic diagnostics, average repair time and the specific failure rates of all
products included in the SIF. Each subsystem must be checked to assure compliance with
minimum hardware fault tolerance (HFT) requirements.
The following documents are mandatory part of this certificate:

P+F 1003-97R1-C R017 V1R2 Assessment Report
Safety Manual Relay Module KFD0-RSH-1.4S.PS2 Ver: 225538 DOCT-2052C 04 2011
The holder of this certificate

may use this mark.
exida Certification SA, Nyon, Switzerland

info@exidacert.ch
Page 2 (2)

TJ01 JK VD IC0100004 IS1 - Code 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TJ01 JK VD IC0100004 IS1 - Code 4

Uploaded by

Copyright:

Available Formats

N.

Revision History of this Project Document

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

3.4.6 Input Field Interfaces ........................................................................................ 21

Appendix I Reliability Calculations

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

1.2 Reference Documents

1.2.2 Tecnimont & JGC Joint Venture (TJJV)

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

1.3 Definitions and Abbreviations

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

SIF : Safety Instrumented Function

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

1.4 Product certificate for ProSafe-RS

Figure 1: TÜV certificate for ProSafe-RS

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

1.5 Hold List

Hold No. Subject Reason

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

2 Functional Safety Management

2.2 The Safety Life Cycle

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

Safety rela ted de live rables

Functio nal Safety Assessment

Pro ject Clo se Ou t

Figure 3: Yokogawa’s implementation of the realisation phase of the safety lifecycle

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

2.3 Safety Verification, Assessment and Validation

2.3.3 Functional Safety Assessment

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

2.4 Systematic safety integrity

2.5 Reliability Calculations

The average probability of a dangerous failure on demand: PFDavg

2.7 Operation and Maintenance

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

2.9 TÜV Certification

Information can be found on the TÜV Rheinland website:

Figure 4: Example of a TÜV FSM certificate

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

3 Safety Requirements - Safe Solutions

3.2 Safety Requirement Specification

3.3 System Design

3.3.1 System Overview

The ESD system consists of the following stations Cabinets:

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

PE3 - Plant (Domain-03)

Field IO’s: Field IO’s:

Figure 5: System configuration

3.3.2 Design Principles

Further detailed information on the system is given in the FDS.

Copyright © Yokogawa Electric Corporation Reference: GES_A0202_01 Rev. 5.02.81

3.4 Requirements versus Solutions

Sensor sub-system of SIS Logic solver Final Element sub-system of SIS

3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 3.4.10 3.4.11

Sensor(s) Input LS Input LS LS Output Output Final

Field Interface Channel Channel Field Interface Element(s)

Model to clarify the used terms

3.4.1 Safety Instrumented Functions/Loops

3.4.2 Safety Parameters

SIF See section 4.4 for the PFDavg calculation result.

Proof test interval T = 1 year.