Annex H
(informative)

Simplified approaches to evaluate the PFH value of a subsystem

H.1 Table allocation approach
The following procedure allows evaluating the PFH value of a subsystem:

1 ) Selection of the used architecture of a not-pre-designed subsystem based on the DC(s) per
channel;

NOTE 1 A pre-designed subsystem is characterized by a SIL with a PFH value (see also 6.2). A not-pre-
designed subsystem claims a maximum SIL based on the architectural constraints (see 7.4).
Where the DCs per channel are different, either the lowest DC per channel may be used as
a worst case approach, or the arithmetic average of DC per channel of both channels.

2) Determination of PFH value with Table H.1 and Table H.2 for not-pre-designed subsystems:
– using Table H.1 for components qualified by MTTF D per channel and DC to allocate the
PFH value within a range of 1 0 %, 20 %, 30 %, 40 % or 50 % of the limit of the respective
required SIL, or
– using Table H.2 for components qualified by B 1 0D and equation (7) in 7.3.4.2 to
determine the MTTF D per channel and then, by use of Table H.1 , allocating the PFH
value within a range of 1 0 %, 20 %, 30 %, 40 % or 50 % of the limit of the respective
required SIL.

The safety function is performed by a single channel comprising the elements e1 to en. Any
undetected dangerous fault of a subsystem element leads to a dangerous failure of the safety
function.

Where a fault of a subsystem element is detected, the diagnostic function(s) initiates a fault
reaction function (see 7.4.3).

In the following, the notion of fault handling function is used. The fault handling function
comprises both the fault detection function and the fault reaction function, see Figure H.4.

All approaches of H.2.4 for the calculation of PFH assume time-optimal fault handling. Time-
optimal fault handling of a subsystem element can be assumed if:
• the diagnostic rate is at least a factor of 1 00 higher than the demand rate of the safety
function and the time needed for the fault reaction is sufficiently short to bring the system
to a safe state before a hazardous event occurs; or
• the fault handling is performed immediately upon any potential demand of the safety function
and the time needed to detect a detectable fault and to bring the system to a safe state is
shorter than the process safety time; or
• the fault handling is performed continuously and the time needed to detect a detectable fault
and to bring the system to a safe state is shorter than the process safety time; or
• the fault handling is performed periodically and the sum of the test interval, the time needed
to detect a detectable fault and time needed to bring the system to a safe state is shorter
than the process safety time.

NOTE Although the failure of the fault handling function will not cause a failure of the safety function, the elements
contributing to the fault handling function are assigned a dangerous failure rate containing the letter D in the index
of λ . Dangerous failures in this sense are failures that lead to a loss of the fault handling function. The dangerous
failure rate of elements involved in the fault handling function does not cover failures which lead to a fault reaction
although there is no failure of the functional channel (so-called “false trips”).

H.2.4.2 External fault handling function
The fault handling function may be completely performed by a separate subsystem(s) of the
SCS which is also involved in performing the safety function, thus contributing to its PFH. These
conditions are depicted in Figure H.5.