11 System requirements (SafetyProvider & SafetyConsumer) ToC Previous Next

The PFH-value of a logical OPC UA Safety communication link depends on the parameter of SafetyErrorIntervalLimit (see Table 27) of the link’s SafetyConsumer. Whenever the SafetyConsumer detects a mismatch of the SafetyConsumerID, SPDU_ID, MNR or CRC-checksum, it will only continue operating if the last occurrence of such an error happened more than SafetyErrorIntervalLimit time units ago. Otherwise, it will make a transition to fail-safe values, which can only be left by manual operator acknowledgment, see Clause 7.4.2.

This directly limits the rate of detected errors, and indirectly limits the rate of undetected (residual) errors.

See Table 39 for numeric PFH- and PFD-values.

Table 39 – The total residual error rate for the safety communication channel

SafetyErrorIntervalLimit Allowed for SIL range    Total Residual error rate for one logical connection of the safety function(PFH)    Total Residual error probability for one logical connection of the safety function, for a mission time of 20 years(PFDavg)
6 Minutes Up to SIL 2 < 4,0 * 10–9 / h < 1,0 * 10-6
60 Minutes Up to SIL 3 < 4,0 * 10–10 / h < 2,5 * 10-7
600 Minutes Up to SIL 4 < 4,0 * 10–11 / h < 8.0 * 10-8

NOTE: the parameter SafetyErrorIntervalLimit affects the PFH/PFD of only the safety communication channel. There is no effect on the PFH/PFD-values of the devices the SafetyProviders and SafetyConsumers are running on. The requirements for the implementation of these nodes are specified in the IEC 61508.

Previous Next