FSD212: Derivation of Safe Failure Fraction¶
Title |
FSD212-Derivation SFF |
Products |
Safety Simplifier |
Requirements |
EN 61508-2:2010, clause 7.4 |
Purpose |
Derive Safe Failure Fraction |
Input |
EN 61508-2:2010, table A.1-A.15 |
Output |
Estimates |
Table of contents¶
EN 61508-2:2010, Table A.1 to A.15¶
Faults or failures to be assumed when quantifying the effect of random hardware failures or to be taken into account in the derivation of safe failure fraction
Safety Simplifier has a SFF>99%. See table in FSD212: Derivation of Safe Failure Fraction (this document). |
Component |
sub system |
61508-2 Table |
Diagnostic technique/measure |
DC |
comment |
|---|---|---|---|---|---|
Electromechanical devices |
A.2 |
High (99%) |
|||
Relay output |
Monitoring of relay contacts |
High (99%) |
Relays are redundant, and monitored by both CPUs. |
||
Discrete hardware |
A.3, A.7, A.9 |
High (99%) |
|||
Digital I/O |
Dig In |
Monitored redundancy |
High (99%) |
Inputs are measured as analogue values, both CPUs compare the values. Different resistor dividers. |
|
Digital I/O |
Dig Out |
Monitored redundancy |
High (99%) |
Outputs are controlled by one CPU, measured by the other. Compared continuously. Several ways to turn all off if failure is detected. |
|
Digital I/O |
Relay driver |
Monitored redundancy |
High (99%) |
Relay driver is powered by relay power, which is a watchdog design. |
|
Analogue I/O |
Anlg In |
Monitored redundancy |
High (99%) |
The digital inputs are actually measured as analogue signals. |
|
Power supply |
Pwr Supply |
Monitored redundancy |
High (99%) |
Separate power supply for both CPUs, they monitor each others power. Multiple overvoltage protection. Fatal overvoltage error will hardly trigger the watchdog controlled general power supply. |
|
Bus |
A.3 |
High (99%) |
|||
CPU1-CPU2 |
|||||
General |
CPU1-CPU2 |
A.7 |
Information redundancy (61508-7:A.7.6) |
High (99%) |
Every packet calcs CRC over both safety information, and inverted safety information. |
MMU |
A.8 |
N/A |
|||
DMA |
N/A |
||||
Bus-arbitration |
N/A |
||||
CPU |
A.4, A.10 |
Combination of Temporal and logical monitoring of programme seq (61508-7:A.9.4) |
High (99%) |
||
Register, internal RAM |
|||||
Coding and execution including flag register |
|||||
Address calculation |
|||||
Program counter, stack pointer |
|||||
Interrupt handling |
A.4 |
Reciprocal comparision by SW |
High (99%) |
Continuously cross monitoring between CPUs. |
|
Interrupt |
No or continuous interrupts gives safe state. |
||||
Reset circuitry |
|||||
Invariable memory |
A.5 |
16 bit CRC (double word) |
High (99%) |
Settings are protected by this. Program memory also. |
|
Variable memory |
A.6 |
Galpat |
High (99%) |
Continously checking RAM |
|
Clock (quartz, oscillator, PLL) |
A.11 |
Temporal and logical monitoring |
High (99%) |
Both common external clock and referens internal clock. Cross checked by both CPUs in many ways. |
|
Communication and mass storage |
A.12 |
High (99%) |
|||
Radio |
Information redundancy (61508-2:A.8) |
High (99%) |
|||
CAN |
Information redundancy (61508-2:A.8) |
High (99%) |
|||
Sensors |
A.13 |
Input comparision |
High (99%) |
||
Final elements |
A.14 |
High (99%) |
|||
Dig Out |
Monitored (61508-7:A.13.1) |
High (99%) |
|||
Relay driver |
Monitored redundancy (61508-7:A.1.2) |
High (99%) |
Revision History¶
Date |
By |
Version |
Description |
2017-11-09 |
Jesper Ribbe |
V01 |
Initial version |
2025-07-23 |
Jesper Ribbe |
V02 |
Reviewed and updated for v2.0.0 of software and PCB018K HW |