11 System requirements ToC Previous Next

The PFH-value of a logical OPC UA Safety communication link depends on the parameter of SafetyErrorIntervalLimit (see Table 17) of the link’s SafetyConsumer. Whenever the SafetyConsumer detects a mismatch of the SafetyConsumerID, SPDU_ID, MNR or CRC-checksum, it will only continue operating if the last occurrence of such an error happened more than SafetyErrorIntervalLimit time units ago. Otherwise, it will make a transition to fail-safe values, which can only be left by manual operator acknowledgment, see Clause 7.4.2.

This directly limits the rate of detected errors, and indirectly limits the rate of undetected (residual) errors.

See Table 31 for numeric PFH- and PFD-values.

Table 31 – The total residual error rate for the safety communication channel

SafetyErrorIntervalLimit Allowed for SIL range Total Residual error rate for one logical connection of the safety function
(PFH)
Total Residual error probability for one logical connection of the safety function, for a mission time of 20 years
(PFDavg)
6 Minutes Up to SIL 2 < 4,0*10–9 / h < 3,504 * 10-4
60 Minutes Up to SIL 3 < 4,0*10–10 / h < 3,504 * 10-5
600 Minutes Up to SIL 4 < 4,0*10–11 / h < 3,504 * 10-6

Note: the estimates for PFDAVG are conservative. More accurate values will be provided in the future.

Note: the parameter SafetyErrorIntervalLimit affects the PFH/PFD of the safety communication channel, only. There is no effect on the PFH/PFD-values of the network nodes the SafetyProviders and SafetyConsumers are running on. The requirements for the implementation of these nodes are specified in the IEC 61508.

Previous Next