9.4 PFH and PFD values of a logical safety communication link

The PFH value of a logical safety communication link according to this document depends on the parameter of SafetyErrorIntervalLimit (see Table 26) of the link’s SafetyConsumer. Whenever the SafetyConsumer detects a mismatch of the SafetyConsumerID, SPDU_ID, MNR or CRC, it will only continue operating if the last occurrence of such an error happened more than SafetyErrorIntervalLimit time units ago. Otherwise, it will make a transition to fail-safe values, which can only be left by manual operator acknowledgment, see 6.3.4.3.

This directly limits the rate of detected errors, and indirectly limits the rate of undetected (residual) errors.

See Table 39 for numeric PFH and PFD values.

Table 39 – The total residual error rate for the safety communication channel

SafetyErrorIntervalLimit

Allowed for SIL range

Total residual error rate for one logical connection of the safety function

(PFH)

Total residual error probability for one logical connection of the safety function, for a mission time of 20 years

(PFDavg)

6 min

Up to SIL 2

< 4,0 × 10–9 / h

< 1,0 × 10-6

60 min

Up to SIL 3

< 4,0 × 10–10 / h

< 2,5 × 10-7

600 min

Up to SIL 4

< 4,0 × 10–11 / h

< 8,0 × 10-8

The parameter SafetyErrorIntervalLimit affects either the PFH or the PFD, or both of only the safety communication channel. There is no effect on the PFH and PFD values of the components the SafetyProviders and SafetyConsumers are running on. The requirements for the implementation of these components are specified in the IEC 61508 series.