Functional Safety

Relay Module
KFD2-RSH-1.2E.L2(-Y1),
KFD2-RSH-1.2E.L3(-Y1)

Manual

3
ISO9001
With regard to the supply of products, the current issue of the following document is applicable:
The General Terms of Delivery for Products and Services of the Electrical Industry, published by the Central
Association of the Electrical Industry (Zentralverband Elektrotechnik und Elektroindustrie (ZVEI) e.V.) in its most
recent version as well as the supplementary clause: "Expanded reservation of proprietorship"

Worldwide
Pepperl+Fuchs Group
Lilienthalstr. 200
68307 Mannheim
Germany
Phone: +49 621 776 - 0
E-mail: info@de.pepperl-fuchs.com
North American Headquarters
Pepperl+Fuchs Inc.
1600 Enterprise Parkway
Twinsburg, Ohio 44087
USA
Phone: +1 330 425-3555
E-mail: sales@us.pepperl-fuchs.com
Asia Headquarters
Pepperl+Fuchs Pte. Ltd.
P+F Building
18 Ayer Rajah Crescent
Singapore 139942
Phone: +65 6779-9091
E-mail: sales@sg.pepperl-fuchs.com
https://www.pepperl-fuchs.com
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Content of this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Symbols Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Product Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1 Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4 Standards and Directives for Functional Safe . . . . . . . . . . . . . . . . . . . . . 9

3 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1 System Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Safety Function and Safe State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Characteristic Safety Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.5 Useful Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Mounting and Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.1 Mounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1 Internal Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Proof Test Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6 Maintenance and Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2019-11

3
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Contents

2019-11

4
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction

1 Introduction

1.1 Content of this Document

This document contains information for usage of the device in functional safety-related
applications. You need this information to use your product throughout the applicable stages
of the product life cycle. These can include the following:
• Product identification
• Delivery, transport, and storage
• Mounting and installation
• Commissioning and operation
• Maintenance and repair
• Troubleshooting
• Dismounting
• Disposal
Note
This document does not substitute the instruction manual.

Note
For full information on the product, refer to the instruction manual and further documentation
on the Internet at www.pepperl-fuchs.com.

The documentation consists of the following parts:

• Present document
• Instruction manual
• Manual
• Datasheet
Additionally, the following parts may belong to the documentation, if applicable:
• EU-type examination certificate
• EU declaration of conformity
• Attestation of conformity
• Certificates
• Control drawings
• FMEDA report
• Assessment report
• Additional documents
For more information about Pepperl+Fuchs products with functional safety,
see www.pepperl-fuchs.com/sil.
2019-12

5
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction

1.2 Safety Information

Target Group, Personnel
Responsibility for planning, assembly, commissioning, operation, maintenance,
and dismounting lies with the plant operator.
Only appropriately trained and qualified personnel may carry out mounting, installation,
commissioning, operation, maintenance, and dismounting of the product. The personnel
must have read and understood the instruction manual and the further documentation.

Intended Use
The device is only approved for appropriate and intended use. Ignoring these instructions
will void any warranty and absolve the manufacturer from any liability.
The device is developed, manufactured and tested according to the relevant safety standards.
Use the device only
• for the application described
• with specified environmental conditions
• with devices that are suitable for this safety application

Improper Use
Protection of the personnel and the plant is not ensured if the device is not used according
to its intended use.

2019-12

6
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Introduction

1.3 Symbols Used

This document contains symbols for the identification of warning messages and
of informative messages.

Warning Messages
You will find warning messages, whenever dangers may arise from your actions.
It is mandatory that you observe these warning messages for your personal safety and in order
to avoid property damage.
Depending on the risk level, the warning messages are displayed in descending order
as follows:

Danger!
This symbol indicates an imminent danger.
Non-observance will result in personal injury or death.

Warning!
This symbol indicates a possible fault or danger.
Non-observance may cause personal injury or serious property damage.

Caution!
This symbol indicates a possible fault.
Non-observance could interrupt the device and any connected systems and plants,
or result in their complete failure.

Informative Symbols
Note
This symbol brings important information to your attention.

Action
This symbol indicates a paragraph with instructions. You are prompted to perform an action
or a sequence of actions.
2019-12

7
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Product Description

2 Product Description

2.1 Function
General
This signal conditioner provides the galvanic isolation between field circuits
and control circuits.
The energized to safe (ETS) function is permitted for SIL 3 applications.
An internal fault or a line fault is signalized by the impedance change of the relay contact input
and an additional relay contact output.
A fault is signalized by LEDs and a separate collective error message output.

KFD2-RSH-1.2E.L2(-Y1)
The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 60 V DC and the 24 V DC control circuit.

KFD2-RSH-1.2E.L3(-Y1)
The device is a relay module that is suitable for safely switching applications of a load circuit.
The device isolates load circuits up to 230 V AC and the 24 V DC control circuit.

Y1 Version
This device is compatible to the following control: Emerson DeltaV CHARM.
Compatibility check to other ESD/DCS systems on request.

2.2 Interfaces
The device has the following interfaces:
• Safety-relevant interfaces: input, output (ETS)
• Non-safety relevant interfaces: fault indication output
Note
For corresponding connections see datasheet.

2019-12

8
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Product Description

2.3 Marking
Pepperl+Fuchs Group
Lilienthalstraße 200, 68307 Mannheim, Germany
Internet: www.pepperl-fuchs.com

KFD2-RSH-1.2E.L2, KFD2-RSH-1.2E.L2-Y1, Up to SIL 3

KFD2-RSH-1.2E.L3, KFD2-RSH-1.2E.L3-Y1

2.4 Standards and Directives for Functional Safe

Device-specific standards and directives
Functional safety IEC/EN 61508, part 1 – 2, edition 2010:
Functional safety of electrical/electronic/programmable
electronic safety-related systems (manufacturer)
2019-12

9
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning

3 Planning

3.1 System Structure

3.1.1 Low Demand Mode of Operation

If there are two control loops, one for the standard operation and another one
for the functional safety, then usually the demand rate for the safety loop is assumed to be less
than once per year.
The relevant safety parameters to be verified are:
• the PFDavg value (average Probability of dangerous Failure on Demand)
and the T1 value (proof test interval that has a direct impact on the PFDavg value)
• the SFF value (Safe Failure Fraction)
• the HFT architecture (Hardware Fault Tolerance)

3.1.2 High Demand or Continuous Mode of Operation

If there is only one safety loop, which combines the standard operation and safety-related
operation, then usually the demand rate for this safety loop is assumed to be higher
than once per year.
The relevant safety parameters to be verified are:
• the PFH value (Probability of dangerous Failure per Hour)
• Fault reaction time of the safety system
• the SFF value (Safe Failure Fraction)
• the HFT architecture (Hardware Fault Tolerance)

3.1.3 Safe Failure Fraction

The safe failure fraction describes the ratio of all safe failures and dangerous detected failures
to the total failure rate.
SFF = (s + dd) / (s + dd + du)
A safe failure fraction as defined in IEC/EN 61508 is only relevant for elements or (sub)systems
in a complete safety loop. The device under consideration is always part of a safety loop but
is not regarded as a complete element or subsystem.
For calculating the SIL of a safety loop it is necessary to evaluate the safe failure fraction
of elements, subsystems and the complete system, but not of a single device.
Nevertheless the SFF of the device is given in this document for reference.
2019-12

10
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning

3.2 Assumptions
The following assumptions have been made during the FMEDA:
• Failure rates are constant, wear is not considered.
• Failure rate based on the Siemens standard SN 29500.
• The safety-related device is considered to be of type A device with a hardware
fault tolerance of 0.
• The device will be used under average industrial ambient conditions comparable
to the classification "stationary mounted" according to MIL-HDBK-217F.
Alternatively, operating stress conditions typical of an industrial field environment similar
to IEC/EN 60654-1 Class C with an average temperature over a long period of time
of 40 ºC may be assumed. For a higher average temperature of 60 ºC, the failure rates
must be multiplied by a factor of 2.5 based on experience. A similar factor must be used
if frequent temperature fluctuations are expected.
• The nominal voltage at the digital input is 24 V. Ensure that the nominal voltage
does not exceed 26.4 V under all operating conditions.
• To achieve the safe state even in the case of an internal device fault, the DO card
must be able to supply a signal current of at least 100 mA.
• Observe the useful lifetime limitations of the output relays.

SIL 3 application
• To build a SIL safety loop for the defined SIL, it is assumed as an example that this device
uses 10 % of the available budget for PFDavg/PFH.
• For a SIL 3 application operating in low demand mode the total PFDavg value
of the SIF (Safety Instrumented Function) should be smaller than 10-3,
hence the maximum allowable PFDavg value would then be 10-4.
• For a SIL 3 application operating in high demand mode the total PFH value
of the SIF should be smaller than 10-7 per hour, hence the maximum allowable PFH value
would then be 10-8 per hour.
• For a SIL 3 application operating in high demand mode the internal fault detection
and the line fault detection must be enabled. The fault indication output,
the collective error message output, or the input impedance change must be monitored.
In case of detected faults the necessary reaction must be introduced.
• If the device is used in applications for high demand mode, perform a risk analysis
regarding systematic faults and implement suitable measures to control these systematic
faults. For example, this can be the following measures:
• usage of redundant power supplies,
• monitoring of input signal, wiring and connections for short circuits and open circuits,
• monitoring the output for open circuits.
• Since the safety loop has a hardware fault tolerance of 0 and it is a type A device,
the SFF must be > 90 % according to table 2 of IEC/EN 61508-2 for a SIL 3 (sub) system.

SILCL and PL application

• The standards IEC/EN 62061 and EN/ISO 13849-1 require that the safety device
is implemented according to the idle current principle. As the device is implemented
following the working current principle, no safety classification according
to IEC/EN 62061 and EN/ISO 13849-1 was carried out. If you use the device
in machinery safety applications, assess the specific application and show that
an equivalent safety level will be achieved.
2019-12

11
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning

3.3 Safety Function and Safe State

Safety Function
Whenever the input of the device is energized, the ETS output is conducting.

Safe State
In the safe state of the safety function the ETS output is closed (conducting).

Reaction Time
The fault reaction time is < 2 s.

2019-12

12
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning

3.4 Characteristic Safety Values

Parameters Characteristic values
Assessment type and Full assessment
documentation
Device type A
Mode of operation Low demand mode or high demand mode
Safety function Output is energized (ETS, energized to safe)
without diagnosis with diagnosis
HFT 0
SIL 3
SC 3
s1 300 FIT 300 FIT
dd 0 FIT 2.81 FIT
du2 3.47 FIT 0.65 FIT
total (safety function)1 304 FIT 304 FIT
total 2052 FIT 2052 FIT
1
SFF 98.8 % 99.8 %
MTBF 3 56 years 56 years
4
DCavg 0% 81.2 %
PTC 81.2 % 81.2 %
PFH 3.47 x 10-9 1/h 6.52 x 10-10 1/h
PFDavg for T1 = 1 year 5 4.1 x 10-5 7.6 x 10-6
PFDavg for T1 = 2 years 4 5.3 x 10-5 1.0 x 10-5
PFDavg for T1 = 3 years 4 6.6 x 10-5 1.2 x 10-5
T1 max. 6 6.5 years 35.0 years
Reaction time 7 <2s
Table 3.1

1 "No effect failures" are not influencing the safety function and are therefore not included in SFF and in the failure rates
of the safety function.
2 While the diagnostic function is signaling the dangerous failure of one relay, the other two redundant relays continue to provide
the safety function. Exceptions are common cause failures that disrupt all three relays. While the diagnostic function is signaling
the failure, the probability of a dangerous undetected failure for the remaining two relays is increasing to 11.4 FIT.
3 acc. to SN29500. This value includes failures which are not part of the safety function/MTTR = 8 h. The value is calculated
for one safety function of the device.
4
Enable the internal fault detection to achieve a diagnostic coverage of 81.2 %. See chapter 5.1.
5 Since the current PTC value is < 100 % and therefore the probability of failure will increase, calculate the PFD value according
to the following formula:
PFDavg = (du / 2) x (PTC x T1 + (1 – PTC) x Tservice)
A service time Tservice of 10 years was assumed for the calculation of PFDavg.
6 assuming 10 % of the PFDavg budget in the safety loop, T1 = Tservice
7
Step response time, also valid under fault conditions (including fault detection and fault reaction)
2019-12

13
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Planning

The characteristic safety values like PFD, PFH, SFF, HFT and T1 are taken
from the FMEDA report. Observe that PFD and T1 are related to each other.
The function of the devices has to be checked within the proof test interval (T1).

3.5 Useful Lifetime

Although a constant failure rate is assumed by the probabilistic estimation this only applies
provided that the useful lifetime of components is not exceeded. Beyond this useful lifetime,
the result of the probabilistic estimation is meaningless as the probability of failure significantly
increases with time. The useful lifetime is highly dependent on the component itself
and its operating conditions – temperature in particular. For example, the electrolytic
capacitors can be very sensitive to the operating temperature.
This assumption of a constant failure rate is based on the bathtub curve, which shows
the typical behavior for electronic components.
Therefore it is obvious that failure calculation is only valid for components that have
this constant domain and that the validity of the calculation is limited to the useful lifetime
of each component.
It is assumed that early failures are detected to a huge percentage during the installation
and therefore the assumption of a constant failure rate during the useful lifetime is valid.
The standard EN/ISO 13849-1:2015 proposes a useful lifetime TM of 20 years for devices
used within industrial environments. This device is designed for this lifetime.
Observe that the useful lifetime can be reduced if the device is exposed to the following
conditions:
• highly stressful environmental conditions such as constantly high temperatures
• temperature cycles with high temperature differences
• permanent repeated mechanical stress (vibration)
As noted in DIN EN 61508-2:2011 note N3, appropriate measures taken by the manufacturer
and plant operator can extend the useful lifetime.
Please note that the useful lifetime refers to the (constant) failure rate of the device.
The effective lifetime can be higher.
The estimated useful lifetime is greater than the warranty period prescribed by law
or the manufacturer's guarantee period. However, this does not result in an extension
of the warranty or guarantee services. Failure to reach the estimated useful lifetime
is not a material defect.

Derating
For the safety application, reduce the number of switching cycles or the maximum current.
A derating to 2/3 of the maximum value is adequate.

Maximum Switching Power of Output Contacts

The useful lifetime is limited by the maximum switching cycles of the relays
under load conditions.
For requirements regarding the connected output load, refer to the documentation
of the connected peripheral devices.

Note
See corresponding datasheets for further information.
2019-12

14
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Mounting and Installation

4 Mounting and Installation

Mounting and Installing the Device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.
3. Observe the requirements for the safety loop.
4. Connect the device only to devices that are suitable for this safety application.
5. Check the safety function to ensure the expected output behavior.

4.1 Mounting
Tighten the terminal screws with a torque of 0.5 ... 0.6 Nm.

4.2 Configuration
Note
The device configuration via DIP switches is not safety relevant.

Configuring the Device

The device is configured via DIP switches. The DIP switches are on the side of the device.

1. De-energize the device before configuring the device.

2. Remove the device.
3. Configure the device via the DIP switches.
4. Secure the DIP switches to prevent unintentional adjustments.
5. Mount the device.
6. Connect the device again.

Note
See corresponding datasheets for further information.

4.2.1 Output Configuration

Switch Line fault detection Internal fault detection
S1 S2
Off Off disabled disabled
On Off enabled disabled
Off On not used
On On enabled enabled
Table 4.1
2019-12

15
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

5 Operation
Danger!
Danger to life from missing safety function
If the safety loop is put out of service, the safety function is no longer guaranteed.
• Do not deactivate the device.
• Do not bypass the safety function.
• Do not repair, modify, or manipulate the device.

Operating the device

1. Observe the safety instructions in the instruction manual.

2. Observe the information in the manual.
3. Use the device only with devices that are suitable for this safety application.
4. Correct any occurring safe failures within 8 hours. Take measures to maintain
the safety function while the device is being repaired.

2019-12

16
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

5.1 Internal Diagnosis

With enabled internal fault detection a diagnostic coverage of 81.2 % is achieved.
Monitor one of the 4 possible ways of fault detection:
• Input impedance change 1
• Fault indication output
• Collective error message output
• LED indication
The device has three output relays. To ensure a complete diagnosis, three switching
operations are necessary. You have 2 options to achieve the diagnostic coverage, see step 2
of the following section.
Internal Diagnosis Procedure

1. Enable the internal fault detection. See chapter 4.2.1.

2. You have 2 options to achieve the diagnostic coverage:
• Switch on the output manually three times.
or
Observe whether the output switches on three times during the normal operation.
Note
Maintain a distance of at least 2 s between the switching processes.

or
• Check the output function at periodic intervals. Switch on the output at least three times a
year as described in the steps 1 and 2.
2019-12

1 In this case only use a safety PLC with digital output and line fault detection.

17
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

5.2 Proof Test Procedure

This section describes a possible proof test procedure. The user is not obliged to use
this proposal. The user may consider different concepts with an individual determination
of the respective effectiveness, e. g. concepts according to NA106:2018.
According to IEC/EN 61508-2 a recurring proof test shall be undertaken to reveal potential
dangerous failures that are not detected otherwise.
Check the function of the subsystem at periodic intervals depending on the applied PFDavg
in accordance with the characteristic safety values. See chapter 3.4.
The internal fault detection may be used to implement a proof test. The diagnostic coverage
is then counting as the proof test coverage. See chapter 3.4.
It is under the responsibility of the plant operator to define the type of proof test and the interval
time period.

Conditions
KFD2-RSH-1.2E.L2(-Y1) KFD2-RSH-1.2E.L3(-Y1)
Load power supply > 5 V DC > 35.5 V AC
Device power supply (LED 24 V DC 24 V DC
PWR is on)
Output load 13.2  < R < 7.3 k 39.2  < R < 45 k
Current through load 14 mA < I < 1.9 A 13.5 mA AC < I < 4.9 A AC
Input current  36 mA  36 mA
Table 5.1

If the conditions are met, you can also check the device in the application.

2019-12

18
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

Proof Test Procedure

1. Enable the internal fault detection and the line fault detection. See chapter 4.2.1.
2. Check the device as shown in the following tables.
3. After check reset the device to the necessary settings.
4. Check the correct behavior of the safety loop. Is the configuration correct?

Test No. Input Output

1 V = 0 V DC between terminals 7+ and 8-
2 Wait at least 2 seconds. • LED OUT is off.
• LED FLT is off 1.
3 V = 24 V DC between terminals 7+ and 8-
4 Wait at least 2 seconds. • LED OUT is on.
• LED FLT is off 1.
5 V = 0 V DC between terminals 7+ and 8-
6 Wait at least 2 seconds. • LED OUT is off.
• LED FLT is off 1.
7 V = 24 V DC between terminals 7+ and 8-
8 Wait at least 2 seconds. • LED OUT is on.
• LED FLT is off 1.
9 V = 0 V DC between terminals 7+ and 8-
10 Wait at least 2 seconds. • LED OUT is off.
• LED FLT is off 1.
11 V = 24 V DC between terminals 7+ and 8-
12 Wait at least 2 seconds. • LED OUT is on.
• LED FLT is off 1.
Table 5.2 Expected test results for the proof test

1
When the FLT LED flashes, a line fault is present. Check whether the supply voltage and the connected load are in the OK area
of the line fault detection.
When the FLT LED is lit continuously, an internal fault is present. Reset the internal fault by interrupting the power supply
(terminals 14+/15-).

Only if all tests are successfully done, the proof test is successful.
2019-12

19
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

5.3 Application Examples

5.3.1 Standard Application for Dual Pole Switching

For a switching application, the device has to be attached to the process control system
and the load the following way.

KFD2-RSH-1.2E.L2(-Y1)
KFD2-RSH-1.2E.L3(-Y1)

5+ 7+
ETS 8- V

3 10
11
2-

14+
15-
24 V DC

Fault 24 V DC
Power Rail Zone 2

Figure 5.1 Standard application for dual pole switching

In the standard application, the process control system is connected to terminals 7+ and 8-.
The line fault transparency (LFT) of the safety relay must be compatible with the line fault
detection of the process control system output. Terminals 10 and 11 can be used as fault
indication output to the process control system.
The characteristic safety values valid for the standard application can be found in Table 3.1

2019-12

20
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Operation

5.3.2 Application with Fault Indication Output in the Signal Loop

of the Dual Pole Switching
Some process control systems are not working with test pulses or with specific test pulses
that do not recognize the impedance change of the device output signaling a line fault.
Where the output of the process control system can detect an open circuit in the signal loop,
the fault indication output of the device may be put in series to the input. See figure.

KFD2-RSH-1.2E.L2
KFD2-RSH-1.2E.L3

5+ 7+
ETS 8- V

3 10
11
2-

14+
15-
24 V DC

Fault 24 V DC
Power Rail Zone 2

Figure 5.2 Application with fault indication output in the signal loop of the dual pole switching
If the fault indication output is open, the output relay contacts cannot be enabled.
But as the fault is detected by the process control system a suitable reaction can be planned.
The user must ensure that a suitable reaction on this detected fault is implemented.
For this application, the characteristic safety values are the same. The characteristic safety
values can be found in Table 3.1.

Warning!
Possible failure of the safety function
If a fault is detected, all output relay contacts remain open.
Take suitable measures in case the diagnosis is triggered. Take suitable measures to sustain
the safety function via the process control system.
2019-12

21
Functional Safety KFD2-RSH-1.2E.L*(-Y1)
Maintenance and Repair

6 Maintenance and Repair

Danger!
Danger to life from missing safety function
Changes to the device or a defect of the device can lead to device malfunction.
The function of the device and the safety function is no longer guaranteed.
Do not repair, modify, or manipulate the device.

Maintaining, Repairing or Replacing the Device

In case of maintenance, repair or replacement of the device, proceed as follows:

1. Implement appropriate maintenance procedures for regular maintenance of the safety loop.
2. While the device is maintained, repaired or replaced, the safety function does not work.
Take appropriate measures to protect personnel and equipment while the safety function
is not available.
Secure the application against accidental restart.
3. Do not repair a defective device. A defective device must only be repaired by the manufacturer.
4. If there is a defect, always replace the device with an original device.

2019-12

22
 Functional Safety KFD2-RSH-1.2E.L*(-Y1)
List of Abbreviations

7 List of Abbreviations
ESD Emergency Shutdown
FIT Failure In Time in 10-9 1/h
FMEDA Failure Mode, Effects, and Diagnostics Analysis
s Probability of safe failure
dd Probability of dangerous detected failure
du Probability of dangerous undetected failure
no effect Probability of failures of components in the safety loop that have
no effect on the safety function.
not part Probability of failure of components that are not in the safety loop
total (safety function) Probability of failure of components that are in the safety loop
HFT Hardware Fault Tolerance
MTBF Mean Time Between Failures
MTTR Mean Time To Restoration
PCS Process Control System
PFDavg Average Probability of dangerous Failure on Demand
PFH Average frequency of dangerous failure per hour
PLC Programmable Logic Controller
PTC Proof Test Coverage
SC Systematic Capability
SFF Safe Failure Fraction
SIF Safety Instrumented Function
SIL Safety Integrity Level
SIS Safety Instrumented System
T1 Proof Test Interval

Tservice Time from start of operation to putting the device out of service
DTS De-energized To Safe (sicherheitsgerichtetes Abschalten)
ETS Energized To Safe (sicherheitsgerichtetes Anschalten)
2019-12

23
Pepperl+Fuchs Quality
Download our latest policy here:

www.pepperl-fuchs.com/quality

www.pepperl-fuchs.com
© Pepperl+Fuchs · Subject to modifications
Printed in Germany / DOCT-5816C