.. _fsd114: FSD114: 61508-1 E/E/PE system safety requirements specification ########################################################################### .. list-table:: Header :header-rows: 0 * - Title - FSD114: 61508-1 E/E/PE system safety requirements specification * - Version - V16 * - Products - Safety Simplifier * - Requirements - 61508-2:7.2.3.1 * - Purpose - Specify safety requirements * - Input - :ref:`fsd010`, :ref:`fsd011` * - Output - :ref:`fsd114` Table of contents *********************** .. contents:: Description *********************** This document corresponds to phase 9 in Figure 2 - Overall safety lifecycle in IEC 61508-1. Input to this document is the risk analysis :ref:`fsd011`, as well as market requirements defined in :ref:`fsd010`. Motivations ************ .. motivation:: SSRS from safety requirements allocation :id: MOTIVATION_114_001 :status: PASS Since the lifecycle phases before phase 9 are not performed (see :need:`MOTIVATION_002_001`) the inputs to phase 9 (this document) are the the risk analysis (:ref:`fsd011`), and the market requirements (:ref:`fsd010`). .. motivation:: SSRS availability :id: MOTIVATION_114_002 :status: PASS All developers have access to the documentation, including the system safety requirements specification. All developers also have direct communication with people involved with the documentation, management, and FSA. .. motivation:: SSRS according to EN-61508-1 clause 7.10.2.4 :id: MOTIVATION_114_005 :status: PASS The system safety requirements specification is written according to the requirements specified in 61508, and is written with the goal to be understandable for the people involved in the management, development, and FSA. See test :need:`TEST_107_001`. .. test:: SSRS contains SIL and safety function requirements :id: MOTIVATION_114_006 :blockers: MOTIVATION_114_003, MOTIVATION_114_004 The system safety requirements specification contains the system safety function requirements for the Safety Simplifier and the requirements for system safety integrity. SIL requirements is specified in :need:`SREQ_01A`. The safety function requirements are derived from inputs to this document (risk analysis and market requirements). See :need:`MOTIVATION_114_003` and :need:`MOTIVATION_114_004`. .. motivation:: Safety function requirements :id: MOTIVATION_114_003 :status: PASS \a) First see :need:`MOTIVATION_002_001`. :need:`SREQ_05` specifies safe state (no continuous control). :need:`SREQ_06A` specifies high demand/continuous mode. \b) Response time performance is specified in :need:`SREQ_07`, :need:`SREQ_08A`, :need:`SREQ_08B`, and :need:`SREQ_09A`. \c) The operator interfaces are specified in :need:`SREQ_02`, :need:`SREQ_10A`. \d) See :need:`SREQ_01A`. \e) Interfaces to other safety-related systems include only Simplifier Gateway, which is covered by the SimpleCAN protocol specification. PC software is used to configure units and systems. See :need:`SREQ_10A`. \f) N/A, EUC is not included in the scope. \g) See :need:`SREQ_15A` and :need:`SREQ_15B`. .. motivation:: SIL requirements :id: MOTIVATION_114_004 :status: PASS \a) As per market requirement, SIL3 and PLe/Category 4 is required, see :need:`SREQ_01A`. \b) Continuous/high demand, according to 61508-1, table 3, which gives a target failure measure (probability of dangerous failure per hour) of ≥10-8 to ≤ 10-7. See :need:`SREQ_06A` and :need:`SREQ_06B`. \c) Specified in FSD202. \d) Proof testing activities are not used, instead automatic online diagnostic tests are implemented. See :need:`SREQ_16A`. \e) See :need:`SREQ_17A`, :need:`SREQ_17B`, :need:`SREQ_17C`, :need:`SREQ_17D`, and :need:`SREQ_18C`. \f) See :need:`SREQ_19`. \g) Hardware common cause failure analysis in :ref:`fsd203`. .. motivation:: high demand/continuous mode :id: MOTIVATION_114_007 :status: PASS The Safety Simplifier is a control system intended for implementation of the logic part (subsystem) of one or several safety functions for machinery (i.e. high-/continuous mode of operation). See also :need:`CERT_0005`. .. _fsd114_sreq_table: SREQ summary ************* .. needtable:: SREQ summary :tags: sreq :style: table :columns: id;title;source;status;derived Safety requirements ******************** .. These requirements are generally derived from the risk analysis: .. req:: Dangerous internal hardware failures shall be detected :id: SREQ_N_01 :tags: sreq :derived: SREQ_03A, SREQ_03B, SREQ_16A All possible internal hardware failures that may lead to a loss of safety function shall be monitored, detected, and handled. .. req:: External failures shall be detected and handled :id: SREQ_N_02 :tags: sreq :derived: SREQ_04A, SREQ_04B, SREQ_13A, SREQ_13B Dangerous external hardware failures shall be detected and handled. .. req:: Safe state during configuration :id: SREQ_N_03 :tags: sreq :derived: SREQ_05, SREQ_15A, SREQ_15B, SREQ_21 During configuration, all outputs shall be in a safe state. .. req:: Safe state in other nodes during configuration :id: SREQ_N_04 :tags: sreq :derived: SREQ_04B, SREQ_21 During configuration of a unit, relevant outputs in other units shall be in a safe state. .. req:: Safe state during fatal error :id: SREQ_N_05 :tags: sreq :derived: SREQ_15C In case of a dangerous fault being detected, all outputs shall be in a safe state. .. req:: Safe state in other nodes during fatal error :id: SREQ_N_06 :tags: sreq :derived: SREQ_22 In case of a fatal error in a unit, relevant outputs in other units shall be in a safe state. .. note:: This is handled via radio timeout = resulting in all affected outputs going to OFF state, which is the design safe state as implemented by the user (see :need:`SREQ_04B`). .. In other units, this can be seen as an external fault and can be handled as :need:`SREQ_04A`. .. req:: Procedures for correctly configuring Safety Simplifier :id: SREQ_N_07A :tags: sreq :derived: DREQ_MANUAL_20, DREQ_MANUAL_21, DREQ_MANUAL_22, DREQ_LOGIC_210B, DREQ_LOGIC_210C Procedures for correctly identifying units for configuring shall be provided to end users. .. req:: Configuration :id: SREQ_N_07B :tags: sreq :derived: DREQ_LOGIC_210D The success or failure of a configuration attempt shall be clear to the user. .. req:: Configuration :id: SREQ_N_07C :tags: sreq :derived: DREQ_LOGIC_202A, DREQ_LOGIC_202B Corrupted configurations shall be detected and handled. .. req:: Configuration :id: SREQ_N_07D :tags: sreq :derived: DREQ_LOGIC_200E, DREQ_LOGIC_200H, DREQ_LOGIC_210A, DREQ_LOGIC_210B, DREQ_LOGIC_210C During configuration, the firmware and PC configuration software shall guarantee that the configuration is downloaded to the correct unit. .. req:: Radio communication :id: SREQ_N_09A :tags: sreq :derived: DREQ_RADIO_1 The radio communication interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. .. req:: CAN communication :id: SREQ_N_09B :tags: sreq :derived: DREQ_CAN_1, DREQ_CAN_2 The CAN communication interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. The safety CAN communication protocol shall be SimpleCAN (as specified in FSD350). .. req:: General black channel interface :id: SREQ_N_09C :derived: BLCH0002 :tags: sreq The general black channel interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. .. req:: CPU2CPU communication :id: SREQ_N_09D :tags: sreq :derived: DREQ_C2C_1, DREQ_C2C_2, DREQ_C2C_3, DREQ_C2C_4, DREQ_C2C_5, DREQ_C2C_6, DREQ_C2C_7, DREQ_C2C_8 The CPU2CPU communication shall fulfil the requirements for white channel communication as defined in IEC 61508 and IEC 61784-3. .. req:: Power supply :id: SREQ_N_10 :tags: sreq :derived: SREQ_24 No voltage, low voltage, high voltage, and unstable voltage shall be detected and handled. .. req:: Fault handling :id: SREQ_N_14A :tags: sreq :derived: SREQ_26A, SREQ_26B, DREQ_LOGIC_200F Fault monitoring shall not lead to false positives, and normal operation shall be stable. .. req:: Fault handling :id: SREQ_N_14B :tags: sreq :derived: DREQ_DIAGNOSTIC_01 If a fault is detected, the cause and mitigation of that fault shall be clear to the user. .. req:: Fault handling :id: SREQ_N_14C :tags: sreq :derived: SREQ_26A, SREQ_26B Common input signal errors (such as disturbances and noisy signals), up to *reasonable* specific limits (such as frequency, voltage, and duration), shall be handled. .. req:: Time measurment accuracy :id: SREQ_N_15A :tags: sreq :derived: SREQ_07, SREQ_27 All timing requirements shall be specified and met, within a reasonable specified margin. .. req:: Time measurment faults :id: SREQ_N_15B :tags: sreq :derived: DREQ_27A, DREQ_27B, DREQ_108A, DREQ_108B Hardware and software relating to time measurement shall be monitored for faults that can cause timing inaccuracies. .. req:: All units shall have a unique identifier :id: SREQ_N_16A :tags: sreq :derived: SREQ_28A, SREQ_28B, SREQ_28C All units shall have a unique identifier, which cannot be changed. .. note:: Unique in the context of Safety Simplifier, i.e., two Safety Simplifiers shall not have the same identifier. .. req:: All nodes in a network shall be specified in the configuration :id: SREQ_N_16B :tags: sreq :derived: SREQ_20, SREQ_29B, SWSREQ_034D The configuration shall specify all nodes that are part of the network by their unique identifier. .. req:: Unauthorized use :id: SREQ_N_17 :tags: sreq :derived: SREQ_10A, SREQ_10B Unauthorized users shall not be able to reconfigure a unit. .. req:: Environmental conditions :id: SREQ_N_18 :tags: sreq :derived: SREQ_17A, SREQ_17B, SREQ_17C, SREQ_17D, SREQ_18A, SREQ_18B, SREQ_18C, SREQ_19 The environmental conditions that the Safety Simplifier can be used in shall be specified. .. TODO:: Is the environmental conditions rather a market requirement? .. req:: Restart and reset :id: SREQ_N_19 :tags: sreq :derived: SREQ_16B, SREQ_24 Restart and reset shall not result in a hazard or unsafe function. .. These requirements are genereally derived from the standard and the requirements above .. req:: SIL3/CAT4/PLe :tags: sreq :id: SREQ_01A :derived: DREQ_CAT4_1, DREQ_103A, DREQ_REDUNDANCY_1, DREQ_EMC_1, DREQ_EMC_2, DREQ_107A, DREQ_113A, DREQ_17B, DREQ_17C The Safety Simplifier shall implement part (as logic subsystem) of one or several overall safety function(s) operating on an EUC within scope of the Machinery Directive 2006/42/EC and assigned/associated with a safety integrity requirement up to SIL 3 (IEC 61508) and/or PLe / CAT 4 (ISO 13849-1). .. req:: PLC :id: SREQ_01B :tags: sreq :derived: DREQ_122A, DREQ_201A, DREQ_LOGIC_201A, DREQ_LOGIC_201B, DREQ_CAT4_1, DREQ_REDUNDANCY_1 The element safety function of the Safety simplifier shall provide output signals in accordance to a user defined algorithm/configuration in combination with the signals on its inputs, up to SIL 3/PL e. .. req:: No external control :id: SREQ_02 :tags: sreq :derived: DREQ_15A There shall exist no external interface to directly control safety outputs. .. old: There shall be no way to directly control the safety outputs from the user interface, including push buttons, USB communications, and radio communication from the diagnostic and configuration tool (Simplifier Manager). .. req:: Internal failure monitoring :id: SREQ_03A :tags: sreq :derived: DREQ_28B, DREQ_111A, DREQ_16C, DREQ_01F, DREQ_115A, DREQ_115B, DREQ_201A, DREQ_27B, DREQ_16B, DREQ_16A, DREQ_108A, DREQ_C2C_6 All possible internal dangerous failures shall be monitored, detected, and handled. .. req:: Internal failure safe state :id: SREQ_03B :tags: sreq :derived: DREQ_3A If an internal dangerous failure is detected, the unit shall enter safe state, as defined in :need:`SREQ_05`. .. req:: External failure safe state :id: SREQ_04A :tags: sreq :derived: DREQ_4A If an external dangerous failure is detected, all affected outputs in all affected units shall either go low (0V) or go into OFF-state depending on the detected failure. .. note:: OFF-state is not the same as "turning off". OFF-state for transistor outputs is a "design safe state" defined by the user. .. req:: Design safe state :id: SREQ_04B :tags: sreq :derived: DREQ_4A Design safe state shall be defined as either safe state or OFF-state. The system integrator defines the design safe state. .. req:: Static safe state :id: SREQ_05 :tags: sreq :derived: DREQ_SAFESTAE_1, DREQ_SAFESTAE_2 The Safety Simplifier shall achieve a safe state in a static manner by all outputs going low (0V), i.e. no continuous control is needed. This shall be defined as "Safe state". .. req:: High demand/continous mode :id: SREQ_06A :tags: sreq :derived: DREQ_NORMALMODE_1 The element safety functions provided by the simplifier system shall operate in high demand or continuous mode. .. req:: High demand or continuous mode calculations :id: SREQ_06B :derived: MOTIVATION_114_007 :tags: sreq High demand or continuous mode shall be used for calculation of PFHd MTTFd. .. req:: Max response time :id: SREQ_07 :tags: sreq :derived: SREQ_08A, SREQ_08B, SREQ_09A, SREQ_09B, SREQ_22 The absolute maximum time delay (response time) :math:`T_{Rmax}`, shall not exceed :math:`T_{Rmax} = T_R + T_{CL}` Response time :math:`T_R` is defined in :need:`SREQ_08A`. Maximum configurable link timeout :math:`T_{CL}` is defined in :need:`SREQ_08B`. .. note:: Response times defined here do not consider filtering and delays defined by the integrator. .. req:: Response time in user manual :id: SREQ_07B :tags: sreq :derived: DREQ_7C A method to calculate the overall response time shall be available to users. .. req:: Response time :id: SREQ_08A :tags: sreq :derived: DREQ_27A, DREQ_27B For valid I/O signals, the response time from input to output shall not exceed: :math:`T_R = T_I + T_L + T_O` where: * :math:`T_R` is the total maximum reaction time from signal change on an input to reaction on outputs, * :math:`T_I` is the maximum reaction time between a signal change on an input until the change is reflected in logic, * :math:`T_L` is the maximum reaction time to process the change on the input (i.e. logic) until the control of affected outputs changes, not counting intentional delays and filters. * :math:`T_O` is the maximum reaction time between a control signal to an output has changed until the physical output signal changes. .. note:: Response times defined here do not consider filtering and delays defined by the integrator. .. todo:: input/logic/output response time table. .. req:: Link timeout :id: SREQ_08B :tags: sreq :derived: DREQ_RADIO_3A, DREQ_RADIO_3B, DREQ_123A The communication link timeout :math:`T_{CL}` shall be configurable in the range 2ms-60000ms. .. note:: Normally, values outside the range ~10ms to ~2s are exceptional, but allowed by these safety requirements for special applications. .. req:: Dangerous failure response time :id: SREQ_09A :derived: TEST_150_010, MOTIVATION_300_312 :tags: sreq The maximum delay between a dangerous failure occuring in a unit and safe state is reached in the unit shall be 500ms. .. req:: Dangerous failure response time network :id: SREQ_09B :tags: sreq :derived: DREQ_9A, TEST_150_021 The maximum delay between a dangerous failure occuring in a unit and until all affected outputs in the complete system have reached safe state or design safe state, shall be :math:`T_{Rmax} + 500` ms. :math:`T_{Rmax}` is defined in :need:`SREQ_07`. .. note:: The complete system here refers to all nodes in a network that depend on inputs from the node that detected the failure. .. req:: Means of configuration :id: SREQ_10A :tags: sreq :derived: DREQ_10A, DREQ_10B There shall be no user interface to replace units. For commissioning and replacement (including repairs), all units shall be programmed by a PC or a memory card. .. req:: Configuration authorization :id: SREQ_10B :tags: sreq :derived: DREQ_LOGIC_200E All changes to configuration by PC shall be authorized by a password. .. req:: I/O ON/OFF states :id: SREQ_11 :tags: sreq :derived: DREQ_11A, DREQ_126B All I/O shall have a defined ON-state and OFF-state. .. note:: The ON and OFF states are defined by defining the signal types of all I/Os in ON and OFF state. .. req:: Potential free outputs :id: SREQ_12 :tags: sreq :derived: DREQ_12A, DREQ_01E, DREQ_105A, DREQ_127A Safety Simplifier shall have optional potential free outputs. .. req:: Digital outputs :id: SREQ_13A :tags: sreq :derived: DREQ_01F, DREQ_104A, DREQ_115A, DREQ_115B, DREQ_115C, DREQ_115D, DREQ_115E, DREQ_115F, DREQ_126A, DREQ_13A, DREQ_15A Safety Simplifier shall have optional static and coded transistor outputs. .. req:: Digital inputs :id: SREQ_13B :tags: sreq :derived: DREQ_01C, DREQ_102A, DREQ_114A, DREQ_16C, DREQ_114B, DREQ_114C, DREQ_114D, DREQ_114E, DREQ_116B, DREQ_116C, DREQ_14A, DREQ_11A, DREQ_126B The Safety Simplifier shall have static, coded and analogue inputs. .. note:: The analogue inputs can be used as digital inputs via a comparator. .. req:: Modes of operation :id: SREQ_15A :tags: sreq :derived: DREQ_MODES_1, DREQ_NORMALMODE_1, DREQ_SAFESTAE_1, DREQ_SAFESTAE_2, DREQ_LOGIC_200A, DREQ_LOGIC_200B, DREQ_LOGIC_200C, DREQ_LOGIC_200D, DREQ_LOGIC_200G The following modes of operation shall be available: * Normal operation mode: The PLC controls the output according to inputs and logic. * Safe state as defined in :need:`SREQ_05`. * PLC Configuration mode as defined in :need:`SREQ_15B`. This is the only mode where a new configuration is accepted. .. req:: Configuration mode :id: SREQ_15B :derived: RESULT_150_001 There shall exist a configuration mode which is the only mode where a new configuration is accepted. In configuration mode, the unit shall be in safe state as defined in :need:`SREQ_05`. .. req:: Fatal error mode :id: SREQ_15C :derived: TEST_150_010 There shall exist a fatal error mode where the unit shall be in safe state as defined in :need:`SREQ_05`. If a fatal error is detected, the unit shall enter this mode. All parts of the system that are affected by the fatal error shall be switched off/unavailable. .. req:: Startup/continous tests & diagnostic :id: SREQ_16A :tags: sreq :derived: DREQ_16B, DREQ_16A, DREQ_16C, DREQ_LOGIC_202B Automatic diagnostic test shall be either start-up tests or continuous tests during operation. .. req:: Startup/continous tests & diagnostic :id: SREQ_16B :tags: sreq :derived: DREQ_111A, DREQ_LOGIC_202B A restart (such as power cycle or software reset) shall not result in an unsafe function. .. req:: Environmental conditions :id: SREQ_17A :tags: sreq :derived: DREQ_17C, DREQ_MANUAL_11 The environmental conditions that the device is considered to be exposed to during its lifecycle (except during testing) are temperature (operation and storage), humidity (operation and storage), and vibration (operation and storage). .. req:: Storage temperature :id: SREQ_17B :tags: sreq :derived: DREQ_17C, DREQ_MANUAL_11 The test requirement for storage temperature shall be -40°C to +70°C and storage humidity less than 95%. .. req:: Operating temperature :id: SREQ_17C :tags: sreq :derived: DREQ_17C, DREQ_17D, DREQ_MANUAL_11 For units in IP65 enclosure, the test requirement for operating temperature shall be -30°C to +60°C and operating humidity less than 95%. .. req:: Environmental conditions :id: SREQ_17D :tags: sreq :derived: DREQ_17B, DREQ_MANUAL_11 The test requirement for vibration shall be according to 3G 5-300Hz. .. req:: ES1 according to IEC/EN 62368-1 :id: SREQ_18A :derived: CERT_0007 :tags: sreq Safety simplifier power supply shall fulfil requirements for ES1 according to IEC/EN 62368-1. .. req:: ES1 according to IEC/EN 62368-1 :id: SREQ_18B :tags: sreq :derived: DREQ_PSU_01, DREQ_24A, DREQ_24B, DREQ_24C, DREQ_24D, DREQ_101A, DREQ_111A, DREQ_124A Safety simplifier power supply voltage shall be within minimum 7VDC up to maximum 33VDC. .. req:: ES1 according to IEC/EN 62368-1 :id: SREQ_18C :tags: sreq :derived: DREQ_MANUAL_10 For interfacing the Safety Simplifier to other devices, all voltages shall be below 50V. .. req:: CE/EMC :id: SREQ_19 :tags: sreq :derived: DREQ_EMC_1, DREQ_EMC_2, DREQ_113A Safety Simplfier shall fulfil the requirements for CE. .. req:: Radio source nodes :id: SREQ_20 :tags: sreq :derived: SWSREQ_034D, SWSREQ_037A, SWSREQ_037B A node shall only use safety data via radio or CAN from other nodes that are part of its network. .. req:: Safe state during software upgrade :id: SREQ_21 :tags: sreq :derived: DREQ_LOGIC_200A, DREQ_LOGIC_200B A node shall not be part of any safety function during software upgrade (safe state). .. req:: Communication timeout :id: SREQ_22 :tags: sreq :derived: DREQ_RADIO_3A, DREQ_RADIO_3B After link timeout (radio and CAN), a receiving node shall consider all safety signals from the timed out node as 0. .. note:: Signals defined as non-safe may be used as the last valid value. .. req:: Power supply :id: SREQ_24 :tags: sreq :derived: DREQ_24A, DREQ_24B, DREQ_24C, DREQ_24D Safety Simplifier shall handle the following power supply failures: #. Low voltage #. Removal of supply #. Unstable voltage .. req:: Input filter :id: SREQ_26A :tags: sreq :derived: DREQ_14A Input signal noise shall be handled. .. req:: Input filter :id: SREQ_26B :tags: sreq :derived: DREQ_26A Input signals shall have configurable filter. .. req:: Timing accuracy :id: SREQ_27 :tags: sreq :derived: SREQ_08A, SREQ_08B, SREQ_09A, SREQ_09B, SREQ_22 All timing shall be performed with an accuracy better than 2ms + 0.1%. .. req:: Unique ID :id: SREQ_28A :tags: sreq :derived: DREQ_28A, DREQ_28B Each Safety Simplifier shall have a unique ID. .. req:: Unique ID :id: SREQ_28B :tags: sreq :derived: DREQ_28C Each memory card module shall have a unique ID. .. req:: Unique IDs :id: SREQ_28C :tags: sreq :derived: DREQ_28C Memory cards and Safety Simplifier shall use the same ID series. .. req:: Networks :id: SREQ_29B :tags: sreq :derived: SWSREQ_034D A node which transmits safety data shall seed the checksum with its own unique ID, or the ID of an installed memory card module. .. note:: Using the ID of the memory card is to allow exchanging units by moving the memory card, without needing to reconfigure the whole network. .. req:: Trained personnel :id: SREQ_109A :tags: sreq :derived: DREQ_MANUAL_23 Only trained personnel following design procedure shall be allowed to configure a simplifier. .. req:: Safety manual :id: SREQ_110A :tags: sreq :derived: DREQ_MANUAL_23, MANUAL_REQS_FROM_STANDARD The safety manual shall fulfill the requirements for safety manual in 61508. .. req:: Non safety functions :id: SREQ_30A :tags: sreq :derived: DREQ_30A Non safety related functions in hardware and software shall not interfere with safety functions in an unsafe manner. .. note:: Non safety related functions are functions such as diagnostics, configuration, monitoring, and debugging. Revision History **************** .. list-table:: :header-rows: 1 * - Date - By - Version - Description * - 2017-02-23 - Mats Linger - V1 - Initial version * - 2017-03-02 - Mats Linger - V2 - Added Req11 * - 2017-06-30 - Mats Linger - V8 - Correction of text, no change in requirements. * - 2017-07-07 - Mats Linger - V9 - SREQ 28 and SREQ 29 * - 2017-08-18 - Mats Linger - V10 - SREQ 10 changed. * - 2017-09-10 - Mats Linger - V11 - SREQ 8 changed * - 2017-10-09 - Mats Linger - V12 - SREQ 7 & 8 changed * - 2018-04-12 - Mats Linger - V13 - Figure redrawn, no changes * - 2018-04-16 - Mats Linger - V14 - SREQ 4 change to affected unit. * - 2018-05-02 - Mats Linger - V15 - Modified SREQ8 * - 2023-08-15 - William Forsdal - V16 - Changes: * Rewrite to reStructuredText and restructure for new FSA documentation structure. * Redefine response times. * Split some requirements into into subrequirements. * General clarifications without modifications. * - 2024-11-15 - William Forsdal - V17 - Changes: * Added description section * Moved sreq summary to top * Split SREQ_03 into two requirements and generalized. * Update SREQ_06 to 'shall' * Clarified SREQ_15 to specify each mode of operation, * Clarified requirements in general. * Added SREQ_30 SimpleCAN requirement. * Moved SREQ_01 and SREQ_02 to market requirements. * - 2024-12-02 - William Forsdal - V18 - Changes: * Added motivations for requirements in 61508-1. * - 2025-01-14 - William Forsdal - V18 - Changes: * Renamed SREQ_10 to SREQ_10A, and added SREQ_10B. * Renamed SREQ_16 to SREQ_16B, and add SREQ_16B (was DREQ_111.1 before). * Split SREQ_09 into two requirements and clarified.