.. _fsd120: FSD120: System design requirements specification ################################################# .. list-table:: Header :header-rows: 0 * - Title - FSD120: System design requirements specification * - Version - V12 * - Products - Safety Simplifier * - Requirements - 61508-2: clause 7.2 * - Purpose - Specify overall design requirements * - Input - :ref:`fsd114` * - Output - :ref:`fsd120` Table of contents *********************** .. contents:: Introduction *************** This document corresponds to phase 10.1 of figure 2 in 61508-2. For an overview of the general design of the system, refer to FSD120 Appendix 1. This document identifies design requirements. They are either based on the SREQxx requirements, and thus uses the same reference number xx and called DREQxx_yy , or they are new design requirements, and are then named from DREQ101_yy as numbers. yy starts from 1. Motivations for requirements in 61508-2 *************************************** .. test:: DREQs derived from SREQs :id: MOTIVATION_120_003 :status: PASS All design requirements are derived from safety requirements specified in :ref:`fsd114`. .. test:: DREQs fulfil 61508-2 requirement 7.2.2.2 :id: MOTIVATION_120_004 :derived: TEST_107_103 \a) \b) See :ref:`FSD107` chapter 2. The design requirements specification is written according to the requirements specified in 61508, and is written with the goal to be understandable for the people involved in the management, development, and FSA. \c) See :ref:`FSD107` chapter 2. All design requirements are derived from safety requirements specified in :ref:`fsd114`. .. motivation:: Design requirements as specified in 61508-2 clause 7.2.3.2 :id: MOTIVATION_120_001 :status: PASS These points map to the requirements in 61508-2 clause 7.2.3.2. \a) See requirements for each subsystem as specified in the chapters below (:ref:`subsystems`). Also see :ref:`FSD115` and :ref:`FSD203`. \b) See requirements for each subsystem as specified in the chapters below (:ref:`subsystems`). Also see :ref:`FSD115` and :ref:`FSD203`. \c) See timing requirements for each subsystem as specified in the chapters below (:ref:`subsystems`), and design requirements derived from :need:`SREQ_07`. Also see :ref:`FSD115` and :ref:`FSD203`. \d) See :need:`DREQ_27A`, :need:`DREQ_27B`. \e) See :need:`DREQ_10A`, and requirements relating to configuration mode. \f) Interfaces to other safety-related systems include only Simplifier Gateway, which is covered by the SimpleCAN protocol specification. \g) See :need:`DREQ_MODES_1`. \h) HW Diagnostic Coverage is mainly implemented in software. See requirements derived from :need:`SREQ_16A` and :need:`SREQ_16B`. \i) * Maximum response times (see \c) * Common cause failures for hardware (see :ref:`FSD203`) * environmental constraints (:need:`DREQ_113A`, :need:`DREQ_17B`, :need:`DREQ_17C`, :need:`DREQ_17D`) \j) See :need:`DREQ_C2C_6`, :need:`DREQ_C2C_7`, :need:`DREQ_C2C_8`, and :need:`DREQ_111A`. .. motivation:: Design requirements as specified in 61508-2 clause 7.2.3.3 :id: MOTIVATION_120_002 :status: PASS These points map to the requirements in 61508-2 clause 7.2.3.3. \a) According to 7.4.4, claimed HW safety integrity is achieved by route 1H (hardware fault tolerance and safe failure fraction). See :need:`DREQ_CAT4_1`, :need:`DREQ_REDUNDANCY_1` and :need:`SREQ_01B` and its derived requirements. \b) See hardware calculations. HW Diagnostic Coverage is mainly implemented in software. See requirements derived from :need:`SREQ_16A` and :need:`SREQ_16B`. Proof testing of output transistors :need:`DREQ_01F`, :need:`DREQ_104A`. To fulfil the requirements for all other parts of the hardware/software, units must also be manually restarted within a certain interval, as specified by :need:`DREQ_112A`. \c) Different ways to achieve safe state are specified depending on the type of failure: * Internal failure: See :need:`DREQ_3A`. * External failure: See :need:`DREQ_4A`. \d) See :need:`DREQ_112A`. \e) See :need:`DREQ_EMC_1`, :need:`DREQ_EMC_2`, :need:`DREQ_113A`, and :need:`DREQ_17C`. \f) See :need:`DREQ_EMC_1` and :need:`DREQ_EMC_2`. \g) Quality assurance/quality control measures are specified in :ref:`fsd002`, specifically :need:`MOTIVATION_002_004`, :need:`MOTIVATION_002_005`, and :need:`MOTIVATION_002_007`. .. motivation:: 61508-2 clause 7.2.3.4 :id: MOTIVATION_120_005 :status: PASS Verification activities are specified in :ref:`FSD107`. The system design requirements specification is completed in detail, each requirement depends on lower level/more detailed requirements and tests and are marked PASS when all derived requirements and tests are fulfilled and completed. Change management and modification is specified in :ref:`FSD002`. .. motivation:: 61508-2 clause 7.2.3.5 :id: MOTIVATION_120_006 :status: PASS The techniques and measures are specified in :ref:`fsd303`. See table B.1. .. motivation:: 61508-2 clause 7.2.3.6 :id: MOTIVATION_120_007 :status: PASS The implications of the design requirements on the architecture is considered during the design process. The architecture is closely related to the design requirements. See :ref:`FSD115`, :ref:`FSD304`, :ref:`FSD310`. .. _fsd120_dreq_table: DREQ summary ************ .. needtable:: :tags: dreq :columns: id, title, source, status, derived :sort: lineno Design requirements ******************* General ******* .. req:: CAT4/HFT 1 :id: DREQ_CAT4_1 :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 Safety Simplifier shall fulfil CAT4/HFT 1 and have SFF>99%. First stage of power supply shall have HFT 0. Single outputs shall fulfil CAT3. .. req:: Logic redundancy 13849-1 :id: DREQ_REDUNDANCY_1 :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 Safety Simplifier shall fulfil Redundancy according to 13849-1 CAT4 for logic. .. req:: Globally unique serial numbers :id: DREQ_28A :tags: dreq :derived: DREQ_28D Each Safety Simplifier shall have a globally unique serial number from production. The serial number shall be defined as a 32bit unsigned integer between 1 and 0xFFFFFFFE. .. req:: Valid serial numbers :id: DREQ_28B :tags: dreq :derived: SWSREQ_033A, SWSREQ_033B To minimize production errors, the serial number 0 and 0xFFFFFFFF shall be checked and handled as invalid. .. req:: Valid serial numbers :id: DREQ_28C :tags: dreq :derived: DREQ_28D To allow Memory Card and simplifier to use the same series, simplifier shall only use serial numbers with even digits in the 10000s place, I.e. 0-9999, 20000-29999, 40000-49999, etc. Serial numbers with uneven digits in the 10000s place are reserved for memory cards. .. note:: A simplifier may use the serial number of a memory card installed in it. This is to allow swapping a broken unit for a new one and not having to reprogram the whole system. .. req:: Production procedures :id: DREQ_28D :tags: dreq :status: PASS The following procedures shall be implemented in production to fulfil :need:`DREQ_28A`, :need:`DREQ_28B`, and :need:`DREQ_28C`: See :download:`SSPN ID Code Control Process <../resources/JT/3. SSPN ID Code Control Process.pdf>`. .. req:: EMC :id: DREQ_EMC_1 :tags: dreq :derived: CERT_0001 Safety Simplifier shall fulfil IEC 61131-2. .. req:: RED (Radio Equipment Directive) :id: DREQ_EMC_2 :tags: dreq :derived: CERT_0007 Safety Simplifier shall fulfil RED. .. req:: Max total 70 fits :id: DREQ_107A :tags: dreq :derived: CERT_0008 To achieve SIL3 requirements, the PFHd for the total system shall not exceed 70 fits. .. req:: Environment tests 61131-2 :id: DREQ_113A :tags: dreq :derived: CERT_0001 The unit shall pass environment tests according to IEC 61131-2. .. req:: User manual response time formula :id: DREQ_7C :derived: MOTIVATION_EN_61508_3_D_2_4_b :tags: dreq, manual A formula to calculate absolute maximum response time shall be found in the user manual. Intentional delays and SREQ-27 shall be included in the formula. .. req:: Vibration tests :id: DREQ_17B :derived: CERT_0006 :tags: dreq Vibration test as specified by :need:`SREQ_17D` shall be made for at least one unit. .. req:: Temperature tests :id: DREQ_17C :derived: CERT_0006 :tags: dreq Temperature test according to :need:`SREQ_17A`, :need:`SREQ_17B`, and :need:`SREQ_17C` shall be made for at least one unit. .. req:: Overheating shut off :id: DREQ_17D :derived: TEST_150_013 :tags: dreq Internal temperature shall be measured during normal operation and if the measured tempereture exceeds 85°C degrees Celsius, the unit shall enter safe state. .. note:: The internal temperature will be higher than the external temperature since the unit is closed and has a power supply that generates heat. The device is designed to be used in an environment where the external temperature is up to 60°C, so the internal temperature should not exceed 85°C in normal operation. .. req:: Voltage requirement :id: DREQ_MANUAL_10 :derived: MOTIVATION_501_100 :tags: dreq, manual The following voltage requirements shall be specified in the manual: * Normal operating voltage range shall be 7VDC-33VDC, * All interfacing voltages and power supply voltages shall be less than 50V, as specified in :need:`SREQ_18C`. .. req:: Restart once per year :id: DREQ_112A :derived: MOTIVATION_501_101 :tags: dreq, manual The unit shall be restarted at least once per year. If the application where it is used requires restarts more often than that, that requirement shall be fulfilled. This requirement shall be specified in the manual. .. req:: Manual environmental conditions :id: DREQ_MANUAL_11 :derived: MOTIVATION_501_102 :tags: dreq, manual The storage and operating environmental conditions shall be specified in the manual. .. req:: Manual, user configuration USB :id: DREQ_MANUAL_20 :derived: MOTIVATION_501_103 :tags: dreq, manual The correct procedure for configuring units via USB shall be available to the user in the manual. .. req:: Manual, user configuration radio :id: DREQ_MANUAL_21 :derived: MOTIVATION_501_104 :tags: dreq, manual The correct procedure for configuring units via radio shall be available to the user in the manual. It shall consider especially :need:`SREQ_N_07B` and :need:`SREQ_N_07D`. .. req:: Manual, user configuration CAN :id: DREQ_MANUAL_22 :derived: MOTIVATION_501_105 :tags: dreq, manual The correct procedure for configuring units via CAN shall be available to the user in the manual. It shall consider especially :need:`SREQ_N_07B` and :need:`SREQ_N_07D`. .. req:: Manual, trained personnel :id: DREQ_MANUAL_23 :derived: MOTIVATION_501_107 :tags: dreq, manual The level of qualification required of users shall be specified in the manual. .. req:: Manual, incident report :id: DREQ_MANUAL_24 :derived: MOTIVATION_501_108 :tags: dreq, manual The manual shall contain a procedure for reporting incidents and faults to SSP North AB. .. req:: Fatal error codes and mitigations :id: DREQ_DIAGNOSTIC_01 :derived: MOTIVATION_501_109 :tags: dreq, manual All faults shall have unique error codes. For all faults, the cause and possible reason(s) for the fault shall be available to the user. .. _subsystems: Subsystems ********** Power supply ============ .. req:: PSU CAT4/SIL3 :id: DREQ_PSU_01 :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 Power supply shall fulfil 13849-1 CAT4 and 61508 SIL3 requirements. .. req:: Loss of power safe state :id: DREQ_24A :tags: dreq :derived: SWSREQ_003A Loss of power shall result in safe state. .. req:: Under voltage safe state :id: DREQ_24B :tags: dreq :derived: SWSREQ_004A, SWSREQ_004B Under voltage shall result in safe state. The limit shall be configurable from 7V to 30V. The response time shall be minimum 500ms and maximum 1000ms. .. minimum 500ms to allow some disturbance on the voltage. .. TODO maybe lower this limit? Even 100ms is a long time in this case. .. req:: Unstable Voltage safe state :id: DREQ_24C :tags: dreq :derived: DREQ_24B, DREQ_24D Unstable voltage shall result in safe state. Unstable voltage is here defined as voltage that do not fulfil requirements of :need:`DREQ_24B` or :need:`DREQ_24D`. .. minimum 500ms to allow some disturbance on the voltage. .. TODO maybe lower this limit? Even 100ms is a long time in this case. .. req:: Over Voltage safe state :id: DREQ_24D :tags: dreq :derived: SWSREQ_005A, SWSREQ_005B Over Voltage shall result in safe state. The limit shall be configurable from 8V to 33V. The response time shall be minimum 500ms and maximum 1000ms. .. minimum 500ms to allow some disturbance on the voltage. .. TODO maybe lower this limit? Even 100ms is a long time in this case. .. req:: Power supply < 20 fits :id: DREQ_101A :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 To achieve SIL3 requirements, the contribution from the power supply shall not exceed 20 fits. .. req:: Safe after restart :id: DREQ_111A :tags: dreq :derived: SWSREQ_032E, SWSREQ_032A, SWSREQ_032B, SWSREQ_032C, SWSREQ_032D There shall be no hazard or dangerous situation created as a result of a unit restarting, no matter why or how it is restarted. This includes: * Ensuring that all safety checks are re-evaluated after a restart, * No sporadic output activation during early start/initialization, * All outputs turning off on restart, * No static dangerous faults being present after a restart without being detected. .. old: The system shall be designed so there are no safety issues if it is restarted, no matter why or how it is restarted. inputs ====== .. req:: Redundant inputs :id: DREQ_01C :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 Redundancy according to 13849-1 CAT4 when inputs used in redundant configuration. .. req:: Inputs < 10 fits :id: DREQ_102A :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 To achieve SIL3 requirements, the contribution from the input shall not exceed 10 fits. .. req:: Input voltage range :id: DREQ_114A :tags: dreq :derived: SWSREQ_014A, MOTIVATION_220_001 Each input shall be able to detect voltage level from 0 - 30 V. .. req:: Input asymmetrical resistor dividers :id: DREQ_16C :tags: dreq :derived: SWSREQ_016A, MOTIVATION_220_001 Redundant inputs with asymmetrical resistor dividers shall be monitored continuously during operation. .. req:: Input signal types :id: DREQ_114B :tags: dreq :derived: SWSREQ_011D Each input shall be able to distinguish between different pulsed input from signals, i.e. A/B/C/D/E pulses, as defined in FSD210. .. req:: Two CPUs monitor inputs :id: DREQ_114C :tags: dreq :derived: SWSREQ_015B, MOTIVATION_220_001 Each input shall be monitored by two processors. .. req:: Input OFF/ON conditions :id: DREQ_114D :tags: dreq :derived: SWSREQ_011C, SWSREQ_011D Each input shall be able to be set to specified ON and OFF conditions handled by the software. See FSD210. .. req:: Up to 14 inputs :id: DREQ_114E :tags: dreq :derived: MOTIVATION_220_002, SWSREQ_015A Safety Simplifier shall have up to 14 inputs. .. req:: Combined inputs OFF/ON signal combinations :id: DREQ_116B :tags: dreq :derived: SWSREQ_011E A combination of ON and OFF conditions from inputs shall be able to be used for input logic conditions. .. req:: Inputs startup test :id: DREQ_116C :tags: dreq :derived: SWSREQ_017A A condition for start-up shall be configurable for inputs. Startup indicate that an input condition always must start with OFF condition before ON is possible at power on, after loss of energy and after return of bus communication. .. req:: All inputs analog :id: DREQ_14A :tags: dreq :derived: MOTIVATION_220_003, SWSREQ_014A, SWSREQ_016A All transistor inputs shall be implemented in HW as analogue (AD converter) inputs. The software shall handle all required input types. .. req:: I/O ON and OFF states :id: DREQ_11A :tags: dreq :derived: SWSREQ_011A, SWSREQ_011B, SWSREQ_011C, SWSREQ_011D All transistor I/O shall have a configurable ON and OFF state as specified in FSD210. .. req:: Coded input signals :id: DREQ_126B :tags: dreq :derived: SWSREQ_011C Each Safety Simplifier shall have inputs that are able to distinguish between the output signals defined in :need:`DREQ_126A`. Transistor outputs ================== .. req:: Redundant outputs CAT4 :id: DREQ_01F :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 Transistor outputs shall fulfil 13849-1 CAT4 safety redundancy when used in redudundant configuration. .. was DREQ_1D .. old: Safety Redundancy according to 13849-1 CAT4 for transistor outputs when used in redundant configuration. .. req:: Transistor outputs 10 fits :id: DREQ_104A :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 To achieve SIL3 requirements, the contribution from the transistor outputs shall not exceed 10 fits. .. req:: Transistor output distinguish faults :id: DREQ_115A :tags: dreq :derived: MOTIVATION_220_004, SWSREQ_018A, SWSREQ_019A Transistor outputs shall be able to distinguish between external and internal detected faults. .. req:: Transistor outputs redundant transistors :id: DREQ_115B :tags: dreq :derived: MOTIVATION_220_005, SWSREQ_019B Each transistor output shall have two transistors which individually can set the output to zero voltage. .. req:: Outputs read back voltage :id: DREQ_115C :tags: dreq :derived: MOTIVATION_220_006, SWSREQ_016A, SWSREQ_018A, SWSREQ_019A Transistor outputs shall be able to detect voltage level on the output. .. req:: OSSD :id: DREQ_115D :tags: dreq :derived: SWSREQ_011B, SWSREQ_022A Transistor outputs shall be able to be set as an OSSD output to detect external voltage connected to the output. .. req:: OSSD detection same node :id: DREQ_115E :tags: dreq :derived: SWSREQ_022A Transistor outputs shall be able to detect short circuits between OSSD outputs from the same unit. .. req:: 14 transistor outputs :id: DREQ_115F :tags: dreq :derived: MOTIVATION_220_002 Each Safety Simplifier shall have up to 14 transistor outputs. .. req:: Coded output signals :id: DREQ_126A :tags: dreq :derived: SWSREQ_011B, SWSREQ_011C Each Safety Simplifier shall be able to send out minimum 4 different pulse coded signals, and their 4 inverses. .. req:: Static and pulsed transistor outputs :id: DREQ_13A :tags: dreq :derived: SWSREQ_011B, SWSREQ_011C The SW shall implement both static and pulsed outputs on all transistor outputs. .. req:: No external control :id: DREQ_15A :tags: dreq :derived: MOTIVATION_220_007, SWSREQ_020A There shall exist no external interface to directly control safety outputs. .. old: There shall be no way to directly control the safety outputs from the user interface, including push buttons, USB communications, and radio communication from the diagnostic and configuration tool (Simplifier Manager). Relay outputs ============= .. req:: Redundant relays :id: DREQ_12A :tags: dreq :derived: MOTIVATION_220_008, SWSREQ_023A Redundant relays shall be an optional output type. .. TODO also hardware design as derived req. .. req:: Redundancy relays :id: DREQ_01E :tags: dreq :derived: MOTIVATION_220_008, MOTIVATION_212_001, MOTIVATION_115_001 Relays in redundant configuration shall achieve redundancy according to 13849-1 CAT4. .. was DREQ_1E .. old: Redundancy according to 13849-1 CAT4 for relay outputs when used in redundant configuration. .. req:: Relays 10 fits :id: DREQ_105A :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 To achieve SIL3 requirements, the contribution from the relay outputs shall not exceed 10 fits. .. req:: Relays in series/parallel :id: DREQ_127A :tags: dreq :derived: MOTIVATION_220_009 The output relays shall be able to be connected in parallel, in series, or separately. .. old: The output relays shall be able to be connected separately or in series. Logic and configuration ======================= .. req:: Redundant CPUs :id: DREQ_201A :tags: dreq :derived: MOTIVATION_220_010 Two CPUs shall work in parallel to evaluate inputs, calculate the logic, and control/monitor the outputs. .. req:: Time reference crystal 100ppm :id: DREQ_27A :tags: dreq :derived: MOTIVATION_220_011 The reference timing source shall be implemented with a crystal or similar with maximum error of 100ppm over the full operating temperature span. .. TODO: reference hardware design as derived req. .. req:: Time reference crystal measurment :id: DREQ_27B :tags: dreq :derived: TEST_300_044, TEST_300_125 The reference timing source shall be monitored by both CPUs. .. req:: Continuous flash tests :id: DREQ_16B :tags: dreq :derived: SWSREQ_002A, SWSREQ_002B Flash memory tests shall be made in both CPUs continuously during operation. .. req:: Continuous RAM tests :id: DREQ_16A :tags: dreq :derived: SWSREQ_001A, SWSREQ_001B, SWSREQ_001C, SWSREQ_001D RAM tests shall be made in both CPUs continuously during operation. .. req:: Configuration hash :tags: dreq :id: DREQ_LOGIC_202A :derived: SWSREQ_032C The configuration shall be protected by a 128bit secure hash (CHASKEY-8). .. req:: Configuration hash :tags: dreq :id: DREQ_LOGIC_202B :derived: SWSREQ_032C The configuration hash shall be checked at startup. .. req:: Logic < 10 fits :id: DREQ_103A :tags: dreq :derived: MOTIVATION_212_001, MOTIVATION_115_001 To achieve SIL3 requirements, the contribution from the logic shall not exceed 10 fits. .. req:: Output as function of inputs :id: DREQ_122A :tags: dreq :derived: SWSREQ_008A Outputs on a node in a Simplifier system shall be able to be controlled by logic which depends on inputs from up to 16 nodes (including itself). .. req:: Function block programming :id: DREQ_LOGIC_201A :tags: dreq :derived: SWSREQ_008A The logic shall be configured by the user by means of function blocks. .. req:: Function block development procedure :id: DREQ_LOGIC_201B :derived: FSD123_SPEC1 :tags: dreq All safety related function blocks (inputs, logic and outputs) shall be developed according to the procedure specified in :ref:`fsd123`. .. req:: Combo I/O min read time :id: DREQ_116A :tags: dreq :derived: SWSREQ_021A For the special I/O type "combined I/O", the logic shall be able to use the I/O as both input and output within 4 ms. I.e., the input part shall be read at least every 4 ms. The duty cycle when active/ON shall be at least 75%. .. req:: Input filtering :id: DREQ_26A :derived: TEST_GUI_SYNC_INPUTS_1, TEST_GUI_SYNC_INPUTS_2, TEST_GUI_ADVANCED_INPUT_1 :tags: dreq The configuration shall have an option to select additional input filtering between 0 and 10000 ms. .. req:: Selectable maximum communication reaction time :id: DREQ_123A :derived: TEST_150_021 :tags: dreq The maximum reaction time from detecting a stop condition from a safety device until the stop condition is achieved (= output/s set to zero) shall be configurable by the user. .. req:: User selectable max/min power supply voltage :id: DREQ_124A :derived: TEST_150_022 :tags: dreq The programming tool shall provide setting of max and min supplied voltage to a safety simplifier. .. req:: Logic calculation interval :id: DREQ_108A :tags: dreq :derived: SWSREQ_007A, SWSREQ_007B In normal operation mode, firwmare shall calculate the PLC logic at a fixed 1ms interval. The fixed interval is defined so that the average interval during 10 seconds fulfils :need:`SREQ_27`. .. req:: Logic calculation interval measurment :id: DREQ_108B :tags: dreq :derived: SWSREQ_007B, SWSREQ_007C The time interval of the logic calculation shall be measured and verfied to fulfil :need:`DREQ_108A`. .. req:: Dangerous fault reaction time :id: DREQ_9A :tags: dreq :derived: SWSREQ_026A The maximum delay between a dangerous failure occuring in a unit and until all affected outputs in the complete system have reached safe state or design safe state, shall be the time defined in :need:`SREQ_09B`. .. req:: No user interface for unit setup :id: DREQ_10A :tags: dreq :derived: SWSREQ_031D There shall be no code that implements a user interface to setup or replace a unit from scratch, except that which is defined in :need:`DREQ_10B`. .. req:: Memory card replacement :id: DREQ_10B :tags: dreq :derived: MOTIVATION_220_012, SWSREQ_031E There shall be a means to replace a unit by transferring its memory card to a new unit and following a replacement procedure. .. note:: This is intended to "move" a configuration from a unit (usually defective) to a new unit, to allow for quick replacement of defective units. .. req:: All code is safety code :id: DREQ_30A :tags: dreq :derived: SWSREQ_100A All code shall be considered safety code/safety related. Operation modes =============== .. req:: Operation modes :id: DREQ_MODES_1 :tags: dreq :derived: SWSREQ_027A The following modes of operation shall be implemented: * Normal operation: see :need:`DREQ_NORMALMODE_1`, * Safe state: see :need:`DREQ_SAFESTAE_1` and :need:`DREQ_SAFESTAE_2`, * Configuration mode: see requirements :need:`DREQ_LOGIC_200A`. .. req:: Normal operation :id: DREQ_NORMALMODE_1 :tags: dreq :derived: SWSREQ_028A In the normal mode of operation, the unit can communicate via the different interfaces, and controls outputs based on inputs, according to the user configuration. .. req:: Safe state :id: DREQ_SAFESTAE_1 :tags: dreq :derived: SWSREQ_029A, SWSREQ_024A In the safe state all outputs shall be monitored and contiuously set to safe state. .. req:: Safe state :id: DREQ_SAFESTAE_2 :tags: dreq :derived: SWSREQ_024B The software shall implement safe state as a non-returning function: the only way to leave safe state shall be to restart the CPU. .. req:: Internal failure safe state :id: DREQ_3A :tags: dreq :derived: SWSREQ_018A, SWSREQ_101A, SWSREQ_101B, SWSREQ_101C If a unit detects an internal dangerous failure, the unit shall go to safe state. .. old: The actions taken in the event of an internal dangerous failure being detected is that the relevant unit shall go into safe state. .. req:: External failure safe state :id: DREQ_4A :tags: dreq :derived: SWSREQ_019A If a dangerous external failure is detected, the relevant outputs shall go to design safe state. .. old: The actions taken in the event of a dangerous failure being detected is that the relevant outputs shall go into safe state. Configuration mode ================== .. req:: Configuration mode :id: DREQ_LOGIC_200A :tags: dreq :derived: SWSREQ_030A The configuration mode shall be implemented as a non returning function. The only way to leave configuration mode is by a software reset or power cycle. .. req:: Configuration mode :id: DREQ_LOGIC_200B :tags: dreq :derived: SWSREQ_030B In the configuration mode all outputs shall be continuously monitored and turned off. .. req:: Configuration mode :id: DREQ_LOGIC_200C :tags: dreq :derived: SWSREQ_030C The configuration mode shall only be possible to enter at startup by a software reset. .. req:: Configuration mode :id: DREQ_LOGIC_200D :tags: dreq :derived: SWSREQ_030D Code which handles configuration shall only be reachable in configuration mode. .. req:: Configuration mode :id: DREQ_LOGIC_200E :tags: dreq :derived: SWSREQ_030E The configuration mode shall be protected by a password. If the password is incorrect, the unit shall ignore the request to enter configuration mode. .. note:: If the password is incorrect, the unit continues what it is currently doing. .. req:: Configuration mode :id: DREQ_LOGIC_200F :tags: dreq :derived: SWSREQ_030F If the configuration tool is connected but does not activate the configuration state, the Safety Simplifier shall work as normal. .. req:: Configuration mode :id: DREQ_LOGIC_200G :tags: dreq :derived: SWSREQ_030G All configuration attempts when not in configuration mode shall be rejected. .. req:: Configuration mode interfaces :id: DREQ_LOGIC_200H :tags: dreq :derived: SWSREQ_030H The configuration mode can be accessed via the following interfaces: * USB, * Radio, * CAN. .. req:: Configuration download correct unit :id: DREQ_LOGIC_210A :tags: dreq :derived: SWSREQ_031A The PC tool shall verify that the destination unit is the correct unit specified by the user. .. req:: Configuration download correct unit :id: DREQ_LOGIC_210B :tags: dreq :derived: SWSREQ_031B The PC tool shall allow the user to visually identify units via radio. .. req:: Configuration download correct unit :id: DREQ_LOGIC_210C :tags: dreq :derived: SWSREQ_031B The PC tool shall allow the user to visually identify units via CAN. .. req:: Configuration download success/fail :id: DREQ_LOGIC_210D :tags: dreq :derived: SWSREQ_031C After downloading a configuration to one or more units, the PC software shall present the the success or failure to the user. CPU-CPU communication ===================== .. req:: CPU-CPU communication :id: DREQ_C2C_1 :tags: dreq :derived: MOTIVATION_220_013, SWSREQ_010G The CPUs shall communicate with each other over a dedicated duplex communication channel. .. req:: CPU-CPU communication white channel :id: DREQ_C2C_2 :tags: dreq :derived: MOTIVATION_220_014, SWSREQ_010C The C2C communication channel shall be implemented as a white channel. .. req:: CPU-CPU communication CRC :id: DREQ_C2C_3 :tags: dreq :derived: SWSREQ_010B, SWSREQ_010D The CPU-CPU packets shall be protected by a 32bit CRC. .. req:: CPU-CPU communication timeout safe state :id: DREQ_C2C_4 :tags: dreq :derived: SWSREQ_010E If more than 20 packets in a row in either direction is lost or corrupt, the unit shall enter safe state. .. req:: CPU-CPU communication update frequency :id: DREQ_C2C_5 :tags: dreq :derived: SWSREQ_010A Both CPUs shall transmit a packet once every 1ms. .. req:: CPUs check compatible firmwares :id: DREQ_C2C_6 :tags: dreq :derived: SWSREQ_032B The CPUs shall check each other's SW version before starting normal operation. If they are not compatible, the unit shall enter safe state. .. req:: CPUs check same configuration :id: DREQ_C2C_7 :tags: dreq :derived: SWSREQ_032C The CPUs shall check the hash of each other's configuration before starting normal operation. If they are not equal, the unit shall enter safe state. .. req:: CPUs check same configuration :id: DREQ_C2C_8 :tags: dreq :derived: SWSREQ_032D, SWSREQ_033A The serial number shall be programmed in CPU1 flash during production, and protected by a 32bit CRC. CPU1 shall check its production data by calculating the CRC, and also verify its valid (see :need:`DREQ_28A`). If the production data is invalid or the serial number is invalid, the unit shall enter safe state. Radio ===== .. req:: HW radio black channel :id: DREQ_RADIO_1 :tags: dreq :derived: SWSREQ_034A The HW radio communication shall be implemented as a black channel. .. req:: Global memories :id: DREQ_RADIO_2A :tags: dreq :derived: SWSREQ_035A, SWSREQ_035B A safety simplifier shall have a configurable number of transmitted "safe bits" (global memories), in groups of 16, up to 256. .. req:: Global memories per system :id: DREQ_RADIO_2B :tags: dreq :derived: SWSREQ_035A, SWSREQ_035B A safety simplifier network shall be able to share a maximum of 256 global memories. The configuration can allocate these in groups of 16 between the nodes in the network. .. note:: For example, a system of 16 nodes can have node 1 with 8 memory groups (128 global memories), and node 2 with 8 memory groups, a total of 256 memories. The 14 other nodes don't have any memories. .. req:: Communication timeouts :id: DREQ_RADIO_3A :tags: dreq :derived: SWSREQ_035C All nodes in a system shall keep track of the timeouts from all other nodes. .. old: A timer for each node in a system must be implemented, which keeps track of timeouts of packets from that specific node node. .. req:: Radio timeout :id: DREQ_RADIO_3B :tags: dreq :derived: SWSREQ_035D The radio timeout shall be configurable between 4ms up to 60000ms. .. req:: Global memories startup test :id: DREQ_RADIO_10 :derived: TEST_150_023 :tags: dreq Each global memory shall have a start-up function which can be selected. This means that the receiving node has to receive a valid 0 before it can accept a 1 (i.e., receiving a 1 after radio timeout or just after network startup does not result in a valid 1 in logic). .. old: Each global memory shall have a start-up function which can be selected. This means that the memory has to start from zero (=OFF) before it can be set as one (1=condition ON). .. req:: No safety critical failure indication :id: DREQ_RADIO_11 :tags: dreq :derived: SWSREQ_034E, SWSREQ_034F There shall be no safety critical messages that indicate failures. All failure indications shall be implemented by detecting absence of safety packets (timeout). CAN === .. req:: CAN communication HW :id: DREQ_CAN_1 :derived: SWSREQ_038A :tags: dreq The HW CAN communication shall be implemented as a black channel. .. req:: CAN communication protocol :id: DREQ_CAN_2 :tags: dreq :derived: SWSREQ_038A Two modes of CAN communication shall be available: * CAN communication as a replacement/backup for radio communication, * SimpleCAN to other Simplifier systems. .. Market reqs: .. req:: Logic function :id: DREQ_118A :tags: dreq :derived: SWSREQ_008A Safety Simplifier shall be able to be configured using Boolean algebra functions and numeric (integer) functions/operations. .. req:: Input/output signal combinations :id: DREQ_2A :derived: SWSREQ_011A, SWSREQ_011B, SWSREQ_011C, SWSREQ_011D, SWSREQ_011E :tags: dreq Input and Output signal combinations shall be configurable according to FSD209 and FSD210. Revision History **************** .. list-table:: :header-rows: 1 * - Date - By - Version - Description * - 2017-04-21 - Mats Linger - V1 - Initial version * - 2017-06-30 - Mats Linger - V2 - Text changes, no change in requirements. * - 2017-07-06 - Mats Linger - V3 - Numbering changes and change requirements. * - 2017-07-07 - Mats Linger - V4 - Adding of requirements. * - 2017-08-18 - Mats Linger - V5 - Adding and adjusting requirements. * - 2017-09-10 - Mats Linger - V6 - Adjustments of numbers, text, DREQ red in list. * - 2017-09-10 - Mats Linger - V7 - Adding of DREQ 2.2. * - 2017-10-11 - Mats Linger - V8 - Change of DREQ107.1 and DREQ8.1. * - 2018-04-11 - Mats Linger - V9 - Change DREQ: 3.1, 7.1, 7.2, 7.3, 120.1, 122.1, and 127.1. * - 2018-04-11 - Mats Linger - V10 - Adjusted DREQ3. * - 2018-05-02 - Mats Linger - V11 - Adjusted DREQ8.1 Response time for pulses and DREQ7.3 Formula in manual. * - 2023-09-01 - William Forsdal - V12 - Copied over old document to new structure, no change in requirements. * - 2023-09-01 - William Forsdal - V13 - * Added short descriptions for requirements * Add short description to requirements * Clarifications without changing meaning * Change DREQ117.1, allow configurable nr of memories. * Add DREQ_117.5, max 256 memories per system. * Deprecate DREQ_117.4, CAN memories repurposed. * Add DREQ_119.3 memory card IDs coexistence. * Add DREQ_130.3, secondary optimized radio protocol. * - 2025-08-05 - William Forsdal - V14 - * Clarify DREQ_111A * Move some block requirements to FSD124 and change to market requirements