Failure Modes, Effects and Diagnostic Analysis

Project:
Smartline Radar Level RM 70

Customer:
Honeywell Process Solutions
Fort Washington, PA
USA

Contract No.: Q11/05-066

Report No.: HON 11/05-066 R002
Version V1, Revision R1, November 2008
Stephan Aschenbrenner - William Goble

The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in
any event for incidental or consequential damages in connection with the application of the document.
© All rights on the format of this technical report reserved.
Management summary
This report summarizes the results of the hardware assessment carried out on the Smartline
Radar Level RM 70 with software versions 1.0.0.6 (DSP), 1.0 (MSP) and 1.01.96 – 1.0.0.27
(BE).
The hardware assessment consists of a Failure Modes, Effects and Diagnostics Analysis
(FMEDA). A FMEDA is one of the steps taken to achieve functional safety assessment of a
device per IEC 61508. From the FMEDA, failure rates are determined and consequently the
Safe Failure Fraction (SFF) is calculated for the device. For full assessment purposes all
requirements of IEC 61508 must be considered.
For safety applications only the described versions were considered. All other possible output
variants or electronics are not covered by this report.
The failure rates used in this analysis are from the exida Electrical & Mechanical Component
Reliability Handbook for Profile 2 and 4.
The Smartline Radar Level RM 70 is considered to be a Type B1 subsystem with a hardware
fault tolerance of 0. For Type B subsystems with a hardware fault tolerance of 0 the SFF shall
be > 60% for SIL1 subsystems according to table 3 of IEC 61508-2.
The manufacturer and exida performed a quantitative analysis of the mechanical parts of the
Smartline Radar Level RM 70 to calculate the mechanical failure rates of the sensor element
using the exida Electrical & Mechanical Component Reliability Handbook. The results of the
quantitative analysis were used for the calculations described in section 4.
The failure rates listed below do not include failures resulting from incorrect use of the Smartline
Radar Level RM 70, in particular humidity entering through incompletely closed housings or
inadequate cable feeding through the inlets.
It is assumed that the connected logic solver is configured as per the NAMUR NE43 signal
ranges, i.e. the Smartline Radar Level RM 70 with 4..20 mA current output communicates
detected faults by an alarm output current ≤ 3,6mA or ≥ 21mA. Assuming that the application
program in the safety logic solver does not automatically trip on these failures, these failures
have been classified as dangerous detected failures. The following table shows how the above
stated requirements are fulfilled.

1
Type B subsystem: “Complex” subsystem (using micro controllers or programmable logic); for details
see 7.4.3.1.3 of IEC 61508-2.
© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 2 of 4
 2
Table 1: Summary for RM 70 – Failure rates

exida Profile 2 exida Profile 4

Failure category Failure rates (in FIT) Failure rates (in FIT)

Fail Safe Detected (SD) 0 0

Fail safe detected 0 0
Fail Safe Undetected (SU) 553 591
Fail safe undetected 0 0
Residual 544 582
Annunciation undetected (95%) 9 9
Fail Dangerous Detected (DD) 1282 1282
Fail dangerous detected 1117 1117
Fail High (detected by logic solver) 13 13
Fail Low (detected by logic solver) 152 152
Annunciation detected 0 0
Fail Dangerous Undetected (DU) 247 259
Fail dangerous undetected 247 259
Annunciation undetected (5%) 0 0
No part 108 141

Total failure rate (safety function) 2082 FIT 2132 FIT

SFF 88% 87%

SIL AC 3 SIL1 SIL1

A user of the Smartline Radar Level RM 70 can utilize these failure rates in a probabilistic model
of a safety instrumented function (SIF) to determine suitability in part for safety instrumented
system (SIS) usage in a particular safety integrity level (SIL). A full table of failure rates for
different operating conditions is presented in section 4 along with all assumptions.
It is important to realize that the “residual” failures are included in the “safe undetected” failure
category according to IEC 61508. Note that these failures on their own will not affect system
reliability or safety, and should not be included in spurious trip calculations.

2
It is assumed that complete practical fault insertion tests can demonstrate the correctness of the failure effects
assumed during the FMEDA.
3
SIL AC (architectural constraints) means that the calculated values are within the range for hardware architectural
constraints for the corresponding SIL but does not imply all related IEC 61508 requirements are fulfilled.
© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 3 of 4
The failure rates are valid for the useful life of the Smartline Radar Level RM 70 (see
Appendix 2).

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 4 of 4
 Table of Contents
2.1  exida ...............................................................................................................................7 
2.2  Roles of the parties involved ...........................................................................................7 
2.3  Standards / Literature used.............................................................................................7 
2.4  Reference documents .....................................................................................................8 
2.4.1  Documentation provided by the customer ............................................................8 
2.4.2  Documentation generated by exida .....................................................................8 
3.1  System description..........................................................................................................9 
3.2  Measuring principle .........................................................................................................9 
3.3  Characteristics of MIN Detection ..................................................................................10 
4.1  Description of the failure categories..............................................................................11 
4.2  Methodology – FMEDA, Failure rates ...........................................................................12 
4.2.1  FMEDA ...............................................................................................................12 
4.2.2  Failure rates .......................................................................................................12 
4.3  Assumptions .................................................................................................................13 
4.4  Analysis of the process connection...............................................................................13 
4.5  Results ..........................................................................................................................14 
4.5.1  RM 70 .................................................................................................................15 
5.1  Example PFDAVG calculation for profile 2 ......................................................................16 
7.1  Liability ..........................................................................................................................18 
7.2  Releases .......................................................................................................................18 
7.3  Release Signatures.......................................................................................................18 
Appendix 1.2: Possible proof tests to detect dangerous undetected faults..........................20 
Appendix 3.1: exida electronic database ............................................................................22 
Appendix 3.2: exida mechanical database ..........................................................................22 

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 5 of 22
1 Purpose and Scope
Generally three options exist when doing an assessment of sensors, interfaces and/or final
elements.

Option 1: Hardware assessment according to IEC 61508

Option 1 is a hardware assessment by exida according to the relevant functional safety
standard(s) like IEC 61508 or EN 954-1. The hardware assessment consists of a FMEDA to
determine the fault behavior and the failure rates of the device, which are then used to calculate
the Safe Failure Fraction (SFF) and the average Probability of Failure on Demand (PFDAVG).
When appropriate, fault injection testing will be used to confirm the effectiveness of any self-
diagnostics.
This option provides the safety instrumentation engineer with the required failure data as per
IEC 61508 / IEC 61511. This option does not include an assessment of the development
process.

Option 2: Hardware assessment with proven-in-use consideration per IEC 61508 / IEC 61511
Option 2 extends Option 1 with an assessment of the proven-in-use documentation of the
device including the modification process.
This option for pre-existing programmable electronic devices provides the safety
instrumentation engineer with the required failure data as per IEC 61508 / IEC 61511. When
combined with plant specific proven-in-use records, it may help with prior-use justification per
IEC 61511 for sensors, final elements and other PE field devices.

Option 3: Full assessment according to IEC 61508

Option 3 is a full assessment by exida according to the relevant application standard(s) like
IEC 61511 or EN 298 and the necessary functional safety standard(s) like IEC 61508 or
EN 954-1. The full assessment extends Option 1 by an assessment of all fault avoidance and
fault control measures during hardware and software development.
This option provides the safety instrumentation engineer with the required failure data as per
IEC 61508 / IEC 61511 and confidence that sufficient attention has been given to systematic
failures during the development process of the device.

This assessment shall be done according to option 1.

This document shall describe the results of hardware assessment according to IEC 61508
carried out on the Smartline Radar Level RM 70 with software versions 1.0.0.6 (DSP), 1.0
(MSP) and 1.01.96 – 1.0.0.27 (BE).
The information in this report can be used to evaluate whether a sensor subsystem, including
the Smartline Radar Level RM 70 meets the average Probability of Failure on Demand (PFDAVG)
requirements and the architectural constraints / minimum hardware fault tolerance requirements
per IEC 61508. It does not consider any calculations necessary for proving intrinsic safety.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 6 of 22
2 Project management
2.1 exida
exida is one of the world’s leading knowledge companies specializing in automation system
safety and availability with over 300 years of cumulative experience in functional safety.
Founded by several of the world’s top reliability and safety experts from assessment
organizations and manufacturers, exida is a partnership company with offices around the world.
exida offers training, coaching, project oriented consulting services, internet based safety
engineering tools, detail product assurance and certification analysis and a collection of on-line
safety and reliability resources. exida maintains a comprehensive failure rate and failure mode
database on process equipment.

2.2 Roles of the parties involved

HONEYWELL Supplier of the Smartline Radar Level RM 70
exida Performed the hardware assessment according to option 1 (see section 1).
exida was contracted in September 2008 to perform the FMEDA of the above mentioned
device.

2.3 Standards / Literature used

The services delivered by exida were performed based on the following standards / literature.

[N1] IEC 61508-2:2000 Functional Safety of

Electrical/Electronic/Programmable Electronic
Safety-Related Systems
[N2] Electrical & Mechanical exida L.L.C, Electrical & Mechanical Component
Component Reliability Handbook, Reliability Handbook, Second Edition, 2008, ISBN
2nd Edition, 2008 978-0-9727234-6-6
[N3] IEC 60654-1:1993-02, second Industrial-process measurement and control
edition equipment – Operating conditions – Part 1: Climatic
condition

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 7 of 22
2.4 Reference documents
2.4.1 Documentation provided by the customer
[D1] TD_OPTIWAVE7300_en_081006.pdf Technical Datasheet 4000112302 - TD
OPTIWAVE 7300 R07 en © Krohne 07/2008
[D2] HB_OPTIWAVE_en_080205.pdf Handbook 4000172401 - HB OPTIWAVE
7300 R03 en © Krohne 01/2008
[D3] STR2138270100i.pdf Circuit diagram “Backend / Ex, New Level”
STR2138270100 Ind. i
[D4] STR2138320100d_modifié.pdf Circuit diagram “EMC, New Level”
STR2138320100 Ind. D
[D5] STR2138350100d.pdf Circuit diagram “best. LP Mikrowelle, New
Level” STR2138350100 Ind. d
[D6] OW7300C_DSP_080918.pdf Circuit diagram “DSP, New Level”
STR2138260100 Ind. g
[D7] STR2138330100d.pdf Circuit diagram “Barrier New Level”
STR2138330100d
[D8] F2.09599.00 E.pdf Mechanical drawing “CORPS SONDE RADAR
PEI” F2.09599.00 Ind. E
[D9] F2.09600.00 E.pdf Mechanical drawing “CORPS SONDE RADAR
META” F2.09600.00 Ind. E
[D10] F2.09553.00 D.pdf Mechanical drawing “SONDE RADAR
ANTENNE COURTE” F2.09553.00 Ind. D
[D11] F2.09607.00 I.pdf Mechanical drawing “BOITIER EQUIPE”
F2.09607.00 Ind. I
[D12] OW7300C_BE_081005.efm of 07.10.08 FMEDA Backend
[D13] OW7300C_EMC_081005.efm of 07.10.08 FMEDA EMC Board
[D14] OW7300C_DSP_081005.efm of 07.10.08 FMEDA DSP Board
[D15] OW7300C_MW_081022.efm of 22.10.08 FMEDA Microwave Board

2.4.2 Documentation generated by exida

[R1] FMEDA_V7_Sensor_and_housing_OPTIWAVE_V0R1.efm of 16.09.08
[R2] FMEDA_V7_OW7300C_V1R1.efm of 04.11.08

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 8 of 22
3 Description of the analyzed subsystem
3.1 System description
RM 70 is a non-contact Radar (FMCW) Level Meter for distance, level and volume
measurement of liquids, pastes and solids. It gives a more stable measurement than pulse
radar and is well suited to agitated process conditions.
The Smartline Radar Level RM 70 is considered to be a Type B subsystem with a hardware
fault tolerance of 0.
The FMEDA has been carried out on the parts indicated in Figure 1, except for Part 1, the
graphical display.

Figure 1: RM 70

3.2 Measuring principle

The measuring is based on the FMCW (Frequency Modulated Continuous Wave) principle.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 9 of 22
The FMCW-radar uses a high frequency signal (~24 GHz) which transmit frequency is linearly
increasing to 1 GHz during the measurement (frequency sweep) (1). The signal is emitted,
reflected on the measuring surface and received time-delayed (2). For further signal processing
the difference f is calculated from the actual transmit frequency and the receive frequency (3).
The difference is directly proportional to the distance i.e. a large frequency difference
corresponds to a large distance and vice versa. The frequency difference is transformed via a
Fourier transformation (FFT) into a frequency spectrum and then the distance is calculated from
the spectrum. The level results from the difference between tank height and distance.

Figure 2: Measuring principle

3.3 Characteristics of MIN Detection

In case of MIN detection the following causes lead to the situation where the Smartline Radar
Level RM 70 can no longer be used for safety related functions with the listed failure rates, Safe
Failure Fraction and PFDAVG:
─ Thick and/or solid build-up
─ False echoes from flat obstructions or obstructions with a sharp edge
─ Applications using agitators
─ Foam with a density > 5 g/cm3
However, reduced proof test intervals can help to detect such unwanted causes.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 10 of 22
4 Failure Modes, Effects, and Diagnostic Analysis
The Failure Modes, Effects, and Diagnostic Analysis was documented in [R2]. Failures have
been classified according to the following failure categories.

4.1 Description of the failure categories

In order to judge the failure behavior of the Smartline Radar Level RM 70, the following
definitions for the failure of the product were considered.
Fail-Safe State The fail-safe state is defined as the output reaching the user
defined threshold value.
Fail Safe Failure that causes the subsystem to go to the defined fail-safe
state without a demand from the process.
Fail Dangerous Failure that leads to a measurement error of more than 2% of full
span and therefore has the potential to not respond to a demand
from the process (i.e. being unable to go to the defined fail-safe
state).
Fail Dangerous Undetected Failure that is dangerous and that is not being diagnosed by
internal diagnostics.
Fail Dangerous Detected Failure that is dangerous but is detected by internal diagnostics
and causes the output signal to go to the predefined alarm state.
Fail High A fail high failure (H) is defined as a failure that causes the output
signal to go to the over-range or high alarm output current
(> 21mA).
Fail Low A fail low failure (L) is defined as a failure that causes the output
signal to go to the under-range or low alarm output current
(< 3.6mA).
Annunciation Failure that does not directly impact safety but does impact the
ability to detect a future fault (such as a fault in a diagnostic
circuit). Annunciation failures are divided into annunciation
detected (AD) and annunciation undetected (AU) failures.
Residual Failure mode of a component that plays a part in implementing the
safety function but is neither a safe failure nor a dangerous failure.
For the calculation of the SFF it is treated like a safe undetected
failure.
No part Component that plays no part in implementing the safety function
but is part of the circuit diagram and is listed for completeness.
When calculating the SFF this failure mode is not taken into
account. It is also not part of the total failure rate.
The failure categories listed above expand on the categories listed in IEC 61508 which are only
safe and dangerous, both detected and undetected. The reason for this is that not all failure
modes have effects that can be accurately classified according to the failure categories listed in
IEC 61508.
The “Residual” and “Annunciation” failures are provided for those who wish to do reliability
modeling more detailed than required by IEC 61508. The “Residual” failures are defined as safe
undetected failures even though they will not cause the safety function to go to a safe state.
Therefore they need to be considered in the Safe Failure Fraction calculation.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 11 of 22
4.2 Methodology – FMEDA, Failure rates
4.2.1 FMEDA
A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the
effects of different component failure modes, to determine what could eliminate or reduce the
chance of failure, and to document the system under consideration.
An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines
standard FMEA techniques with extensions to identify online diagnostics techniques and the
failure modes relevant to safety instrumented system design. It is a technique recommended to
generate failure rates for each important category (safe detected, safe undetected, dangerous
detected, dangerous undetected, fail high, fail low) in the safety models. The format for the
FMEDA is an extension of the standard FMEA format from MIL STD 1629A, Failure Modes and
Effects Analysis.

4.2.2 Failure rates

The failure rate data used by exida in this FMEDA are from the exida Electrical & Mechanical
Component Reliability Handbook for Profile 2 and 4. The rates were chosen in a way that is
appropriate for safety integrity level verification calculations. It is expected that the actual
number of field failures due to random events will be less than the number predicted by these
failure rates.
For hardware assessment according to IEC 61508 only random equipment failures are of
interest. It is assumed that the equipment has been properly selected for the application and is
adequately commissioned such that early life failures (infant mortality) may be excluded from
the analysis.
Failures caused by external events however should be considered as random failures.
Examples of such failures are loss of power, physical abuse, or problems due to intermittent
instrument air quality.
The assumption is also made that the equipment is maintained per the requirements of
IEC 61508 or IEC 61511 and therefore a preventative maintenance program is in place to
replace equipment before the end of its “useful life”. Corrosion, erosion, coil burnout etc. are
considered age related (late life) or systematic failures, provided that materials and technologies
applied are indeed suitable for the application, in all modes of operation.
The user of these numbers is responsible for determining their applicability to any particular
environment. Accurate plant specific data may be used for this purpose. If a user has data
collected from a good proof test reporting system that indicates higher failure rates, the higher
numbers shall be used. Some industrial plant sites have high levels of stress. Under those
conditions the failure rate data is adjusted to a higher value to account for the specific
conditions of the plant.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 12 of 22
4.3 Assumptions
The following assumptions have been made during the Failure Modes, Effects, and Diagnostic
Analysis of the Smartline Radar Level RM 70.
 Failure rates are constant, wear out mechanisms are not included.
 Propagation of failures is not relevant.
 The HART protocol is only used for setup, calibration, and diagnostics purposes, not during
normal operation.
 The device is installed per manufacturer’s instructions.
 Failures during parameterization are not considered.
 Complete practical fault insertion tests can demonstrate that the diagnostic coverage (DC)
corresponds to the assumed DC in the FMEDAs.
 Sufficient tests are performed prior to shipment to verify the absence of vendor and/or
manufacturing defects that prevent proper operation of specified functionality to product
specifications or cause operation different from the design analyzed.
 The mean time to restoration (MTTR) after a safe or detectable failure is 24 hours.
 All modules are operated in the low demand mode of operation.
 External power supply failure rates are not included.
 Because the display is not part of the safety function, the failure rate of the display is not
considered in the calculation.
 The time of a connected safety PLC to react on a dangerous detected failure and to bring
the process to the safe state is identical to MTTR.
 The worst-case internal fault detection time is 1 minute. Depending on the application, this
interval needs to be considered directly in the SIL verification.
 The output signals are fed into a SIL1 compliant input board of a safety PLC.
 The application program in the safety logic solver is configured according to NAMUR NE43
to detect under-range and over-range failures and does not automatically trip on these
failures; therefore these failures have been classified as dangerous detected failures.
 Only the current output 4..20mA is used for safety applications.
 Materials are compatible with process conditions.
 The measurement/application limits (including pressure and temperature ranges) are
considered.

4.4 Analysis of the process connection

The manufacturer and exida performed a quantitative analysis of the mechanical parts of the
Smartline Radar Level RM 70 to calculate the mechanical failure rates of the sensor element
using the exida Electrical & Mechanical Component Reliability Handbook. The results of the
quantitative analysis were used for the calculations described in section Error! Reference
source not found..

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 13 of 22
4.5 Results
For the calculation of the Safe Failure Fraction (SFF) the following has to be noted:
total consists of the sum of all component failure rates. This means:
total = SD + SU + DD + DU
SFF = 1 – DU / total

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 14 of 22
4.5.1 RM 70
The FMEDA carried out on RM 70 leads under the assumptions described in sections 4.3 to 4.5
to the following failure rates:

exida Profile 2 exida Profile 4

Failure category Failure rates (in FIT) Failure rates (in FIT)

Fail Safe Detected (SD) 0 0

Fail safe detected 0 0
Fail Safe Undetected (SU) 553 591
Fail safe undetected 0 0
Residual 544 582
Annunciation undetected (95%) 9 9
Fail Dangerous Detected (DD) 1282 1282
Fail dangerous detected 1117 1117
Fail High (detected by logic solver) 13 13
Fail Low (detected by logic solver) 152 152
Annunciation detected 0 0
Fail Dangerous Undetected (DU) 247 259
Fail dangerous undetected 247 259
Annunciation undetected (5%) 0 0
No part 108 141

Total failure rate (safety function) 2082 FIT 2132 FIT

SFF 88% 87%

SIL AC 4 SIL1 SIL1

4
SIL AC (architectural constraints) means that the calculated values are within the range for hardware architectural
constraints for the corresponding SIL but does not imply all related IEC 61508 requirements are fulfilled.
© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 15 of 22
5 Using the FMEDA results
The following section describes how to apply the results of the FMEDA.
It is the responsibility of the Safety Instrumented Function designer to do calculations for the
entire SIF. exida recommends the accurate Markov based exSILentia tool for this purpose.
The following results must be considered in combination with PFDAVG values of other devices of
a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety
Integrity Level (SIL).

5.1 Example PFDAVG calculation for profile 2

An average Probability of Failure on Demand (PFDAVG) calculation is performed for a single
(1oo1) Smartline Radar Level RM 70 considering a proof test coverage of 95% (see Appendix
1.2) and a mission time of 10 years. The failure rate data used in this calculation are displayed
in section Error! Reference source not found.. The resulting PFDAVG values for a variety of
proof test intervals are displayed in Table 2.

For SIL1 applications, the PFDAVG value needs to be < 1.00E-01.

Table 2: PFDAVG values

T[Proof] = 1 year T[Proof] = 2 years T[Proof] = 5 years

PFDAVG = 1.60E-03 PFDAVG = 2.63E-03 PFDAVG = 5.71E-03

This means that for a SIL1 application, the PFDAVG for a 1-year Proof Test Interval considering
profile 2 data is approximately equal to 2% of the range.

Figure 3 shows PFDAVG as a function of the proof test interval.

PFDAVG vs. Proof Test Interval

OPTIWAVE 7300 C
1,20E-02

1,00E-02

8,00E-03
PFDAVG

6,00E-03

4,00E-03

2,00E-03

0,00E+00
1 2 3 4 5 6 7 8 9 10
Years

Figure 3: PFDAVG(t)

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 16 of 22
6 Terms and Definitions
DCD Diagnostic Coverage of dangerous failures
FIT Failure In Time (1x10-9 failures per hour)
FMEDA Failure Modes, Effects, and Diagnostic Analysis
HFT Hardware Fault Tolerance
Low demand mode Mode where the frequency of demands for operation made on a safety-
related system is no greater than one per year and no greater than twice
the proof test frequency.
PFDAVG Average Probability of Failure on Demand
SFF Safe Failure Fraction summarizes the fraction of failures which lead to a
safe state and the fraction of failures which will be detected by
diagnostic measures and lead to a defined safety action.
SIF Safety Instrumented Function
SIL Safety Integrity Level
Type B subsystem “Complex” subsystem (using micro controllers or programmable logic);
for details see 7.4.3.1.3 of IEC 61508-2
T[Proof] Proof Test Interval

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 17 of 22
7 Status of the document

7.1 Liability
exida prepares reports based on methods advocated in International standards. Failure rates
are obtained from a collection of industrial databases. exida accepts no liability whatsoever for
the use of these numbers or for the correctness of the standards on which the general
calculation methods are based.
Due to future potential changes in the standards, best available information and best practices,
the current FMEDA results presented in this report may not be fully consistent with results that
would be presented for the identical product at some future time. As a leader in the functional
safety market place, exida is actively involved in evolving best practices prior to official release
of updated standards so that our reports effectively anticipate any known changes. In addition,
most changes are anticipated to be incremental in nature and results reported within the
previous three year period should be sufficient for current usage without significant question.
Most products also tend to undergo incremental changes over time. If an exida FMEDA has not
been updated within the last three years and the exact results are critical to the SIL verification
you may wish to contact the product vendor to verify the current validity of the results.

7.2 Releases
Version History: V1R1: Update to OEM, May 23, 2011
V1R0: Review comments incorporated; November 26, 2008
V0R1: Initial version; November 4, 2008
Author: Stephan Aschenbrenner
Review: V0R1: Rachel Amkreutz (exida), November 4, 2008
Richard Marlier (Krohne S.A.S.), November 14, 2008
Release status: Released to KROHNE S.A.S.

7.3 Release Signatures

Dipl.-Ing. (Univ.) Stephan Aschenbrenner, Partner

Rachel Amkreutz, Safety Engineer

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 18 of 22
Appendix 1: Possibilities to reveal dangerous undetected faults during the
proof test

According to section 7.4.3.2.2 f) of IEC 61508-2 proof tests shall be undertaken to reveal
dangerous faults which are undetected by diagnostic tests.
This means that it is necessary to specify how dangerous undetected faults which have been
noted during the FMEDA can be detected during proof testing.
Table 3 shows an importance analysis according to the exida database (profile 2) of the ten
most critical dangerous undetected faults and indicate how these faults can be detected during
proof testing.
Appendix 1 shall be considered when writing the safety manual as it contains important safety
related information.

Table 3: Importance Analysis for RM 70

Component % of total du Detection through

100% functional test with different input
Pos. 10 10,14%
signals and monitoring of the output signals
100% functional test with different input
IC4 8,84%
signals and monitoring of the output signals
100% functional test with different input
IC1 8,84%
signals and monitoring of the output signals
100% functional test with different input
G2 8,11%
signals and monitoring of the output signals
100% functional test with different input
IC21-ROM 5,66%
signals and monitoring of the output signals
100% functional test with different input
IC16-ROM 5,66%
signals and monitoring of the output signals
100% functional test with different input
IC17, IC20 4,28%
signals and monitoring of the output signals
100% functional test with different input
Pos. 17 3,65%
signals and monitoring of the output signals
100% functional test with different input
IC13 3,64%
signals and monitoring of the output signals
100% functional test with different input
IC19 3,55%
signals and monitoring of the output signals

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 19 of 22
Appendix 1.2: Possible proof tests to detect dangerous undetected faults
A possible proof test could consist of the following steps, as described in Table 4.
Table 4 Steps for a possible proof Test

Step Action
1 Bypass the safety PLC or take other appropriate action to avoid a false trip
2 Inspect the device for any visible damage or contamination.
3 Send a HART command to the transmitter to go to the high alarm current output and
verify that the analog current reaches that value.
This tests for compliance voltage problems such as a low loop power supply voltage or
increased wiring resistance. This also tests for other possible failures.

4 Perform a two-point calibration of the transmitter and verify that the analog current
reaches the expected values.
5 Send a HART command to the transmitter to go to the low alarm current output and
verify that the analog current reaches that value.
This tests for possible quiescent current related failures

6 Restore the loop to full operation

7 Remove the bypass from the safety PLC or otherwise restore normal operation

This test will detect approximately 95% of possible “du” failures of the transmitter including the
sensor element.

© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 20 of 22
Appendix 2: Impact of lifetime of critical components on the failure rate
According to section 7.4.7.4 of IEC 61508-2, a useful lifetime, based on experience, should be
assumed.
Although a constant failure rate is assumed by the probabilistic estimation method (see section
4.3) this only applies provided that the useful lifetime5 of components is not exceeded. Beyond
their useful lifetime the result of the probabilistic calculation method is therefore meaningless, as
the probability of failure significantly increases with time. The useful lifetime is highly dependent
on the component itself and its operating conditions – temperature in particular (for example,
electrolytic capacitors can be very sensitive).
This assumption of a constant failure rate is based on the bathtub curve, which shows the
typical behavior for electronic components. Therefore it is obvious that the PFDAVG calculation is
only valid for components which have this constant domain and that the validity of the
calculation is limited to the useful lifetime of each component.
It is assumed that early failures are detected to a huge percentage during the installation period
and therefore the assumption of a constant failure rate during the useful lifetime is valid.
Table 5 shows which components with reduced useful lifetime are contributing to the dangerous
undetected failure rate and therefore to the PFDAVG calculation and what their estimated useful
lifetime is.
Table 5: Useful lifetime of components with reduced useful lifetime contributing to du

Type Name Useful life at 40°C

Capacitor (electrolytic-solid) – C53 Approximately 90 000 Hours6
Aluminum
Capacitor (electrolytic-solid) - C30, C56, C22, C26, Approximately 500 000 hours
Tantalum C32, C52, C33, C54,
C31
Sensor element According to manufacturer’s
specification

When plant experience indicates a shorter useful lifetime than indicated in this appendix, the
number based on plant experience should be used.

5
Useful lifetime is a reliability engineering term that describes the operational time interval where the failure rate of a
device is relatively constant. It is not a term which covers product obsolescence, warranty, or other commercial
issues.
6
The operating temperature has a direct impact on this time. Therefore already a small deviation from the ambient
operating temperature reduces the useful lifetime dramatically. Capacitor life at lower temperatures follows "The
Doubling 10°C Rule" where life is doubled for each 10°C reduction in operating temperature.
© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 21 of 22
Appendix 3: Description of the considered profiles

Appendix 3.1: exida electronic database

Profile Profile according to IEC60654-1 Ambient Temperature [°C] Temperature Cycle
Average Mean [°C / 365 days]
(external) (inside box)

1 B2 30 60 5
2 C3 25 30 25
3 C3 25 45 25

PROFILE 1:
Cabinet mounted equipment typically has significant temperature rise due to power dissipation
but is subjected to only minimal daily temperature swings.
PROFILE 2:
Low power electrical (two-wire) field products have minimal self heating and are subjected to
daily temperature swings.
PROFILE 3:
General (four-wire) field products may have moderate self heating and are subjected to daily
temperature swings.

Appendix 3.2: exida mechanical database

Profile Profile according to IEC60654-1 Ambient Temperature [°C] Temperature Cycle
Average Mean [°C / 365 days]
(external) (inside box)

1 B2 30 60 5
2 C3 25 30 25
3 C3 25 45 25
4 D1 25 30 35

PROFILE 1:
Cabinet mounted equipment typically has significant temperature rise due to power dissipation
but is subjected to only minimal daily temperature swings.
PROFILE 2:
Mechanical field products have minimal self heating and are subjected to daily temperature
swings.
PROFILE 3:
Mechanical field products may have moderate self heating and are subjected to daily
temperature swings.
PROFILE 4:
Unprotected mechanical field products with minimal self heating, are subject to daily
temperature swings and rain or condensation.
© exida.com GmbH hon 1105066 r002 v1r1 rm70 fmeda, November 26, 2008
Stephan Aschenbrenner Page 22 of 22