The PFH-value of a logical safety communication link according to this document depends on the parameter of SafetyErrorIntervalLimit (see Table 26) of the link’s SafetyConsumer. Whenever the SafetyConsumer detects a mismatch of the SafetyConsumerID, SPDU_ID, MNR or CRC-checksum, it will only continue operating if the last occurrence of such an error happened more than SafetyErrorIntervalLimit time units ago. Otherwise, it will make a transition to fail-safe values, which can only be left by manual operator acknowledgment, see

This directly limits the rate of detected errors, and indirectly limits the rate of undetected (residual) errors.

See Table 39 for numeric PFH- and PFD-values.

Table 39 – The total residual error rate for the safety communication channel


Allowed for SIL range

Total Residual error rate for one logical connection of the safety function


Total Residual error probability for one logical connection of the safety function, for a mission time of 20 years


6 Minutes

Up to SIL2

< 4,0 × 10–9 / h

< 1,0 × 10-6

60 Minutes

Up to SIL3

< 4,0 × 10–10 / h

< 2,5 × 10-7

600 Minutes

Up to SIL4

< 4,0 × 10–11 / h

< 8,0 × 10-8

The parameter SafetyErrorIntervalLimit affects the PFH/PFD of only the safety communication channel. There is no effect on the PFH/PFD-values of the devices the SafetyProviders and SafetyConsumers are running on. The requirements for the implementation of these nodes are specified in the IEC 61508.