.. _61508-1: 61508-1 ======= Not passed: :need_count:`'EN-61508-1' in tags and status!='PASS' and status!='N/A'` Passed: :need_count:`'EN-61508-1' in tags and status=='PASS'` N/A: :need_count:`'EN-61508-1' in tags and status=='N/A'` .. In the needtable below: .. sorting by lineno is important to keep the requirements in the correct order in the table. .. Sorting by name/id makes 10 appear before 1, so it is not useful. .. needtable:: :tags: EN-61508-1 :columns: id, title, status, derived :sort: lineno .. req:: EN-61508-1 clause 5.2.1: documentation sufficient for lifecycle phases :id: EN_61508_1_5_2_1 :tags: EN-61508-1 :derived: MOTIVATION_001_001 The documentation shall contain sufficient information, for each phase of the overall, E/E/PE system and software safety lifecycles completed, necessary for effective performance of subsequent phases and verification activities. .. req:: EN-61508-1 clause 5.2.2: documentation sufficient for management :id: EN_61508_1_5_2_2 :tags: EN-61508-1, 61508 :derived: MOTIVATION_001_002 The documentation shall contain sufficient information required for the management of functional safety (Clause 6). .. req:: EN-61508-1 clause 5.2.3: documentation sufficient for FSA :id: EN_61508_1_5_2_3 :tags: EN-61508-1 :derived: MOTIVATION_001_003 The documentation shall contain sufficient information required for the implementation of a functional safety assessment, together with the information and results derived from any functional safety assessment. .. req:: EN-61508-1 clause 5.2.4: documentation as stated by 61508 :id: EN_61508_1_5_2_4 :tags: EN-61508-1 :derived: MOTIVATION_001_004 The information to be documented shall be as stated in the various clauses of this standard unless justified or shall be as specified in the product or application sector international standard relevant to the application. .. req:: EN-61508-1 clause 5.2.5: sufficient documentation availability :id: EN_61508_1_5_2_5 :tags: EN-61508-1 :derived: MOTIVATION_001_005 The availability of documentation shall be sufficient for the duties to be performed in respect of the clauses of this standard. .. req:: EN-61508-1 clause 5.2.6: accessible and accurate documentation :id: EN_61508_1_5_2_6 :tags: EN-61508-1 :derived: MOTIVATION_001_006 The documentation shall: * be accurate and concise; * be easy to understand by those persons having to make use of it; * suit the purpose for which it is intended; * be accessible and maintainable. .. req:: EN-61508-1 clause 5.2.7: document titles/index :id: EN_61508_1_5_2_7 :tags: EN-61508-1 :derived: DOCREQ_01, DOCREQ_02 The documentation or set of information shall have titles or names indicating the scope of the contents, and some form of index arrangement so as to allow ready access to the information required in this standard. .. req:: EN-61508-1 clause 5.2.8: company procedures/practices :id: EN_61508_1_5_2_8 :tags: EN-61508-1 :derived: DOCREQ_01, DOCREQ_04 The documentation structure may take account of company procedures and the working practices of specific product or application sectors. .. req:: EN-61508-1 clause 5.2.9: documentation versioning :id: EN_61508_1_5_2_9 :tags: EN-61508-1 :derived: DOCREQ_03, DOCREQ_04 The documents or set of information shall have a revision index (version numbers) to make it possible to identify different versions of the document. .. req:: EN-61508-1 clause 5.2.10: searchable documentation structure :id: EN_61508_1_5_2_10 :tags: EN-61508-1 :derived: DOCREQ_01, DOCREQ_03 The documents or set of information shall be so structured as to make it possible to search for relevant information. It shall be possible to identify the latest revision (version) of a document or set of information. .. req:: EN-61508-1 clause 5.2.11: document control scheme :id: EN_61508_1_5_2_11 :tags: EN-61508-1 :derived: DOCREQ_04, DOCREQ_05 All relevant documents shall be revised, amended, reviewed and approved under an appropriate document control scheme. .. req:: EN-61508-1 clause 6.2.1: appoint responsibilities :id: EN_61508_1_6_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_003 An organisation with responsibility for an E/E/PE safety-related system, or for one or more phases of the overall, E/E/PE system or software safety lifecycle, shall appoint one or more persons to take overall responsibility for: * the system and for its lifecycle phases; * coordinating the safety-related activities carried out in those phases; * the interfaces between those phases and other phases carried out by other organisations; * carrying out the requirements of 6.2.2 to 6.2.11 and 6.2.13; * coordinating functional safety assessments (see 6.2.12 b) and Clause 8) - particularly where those carrying out the functional safety assessment differ between phases - including communication, planning, and integrating the documentation, judgements and recommendations; * ensuring that functional safety is achieved and demonstrated in accordance with the objectives and requirements of this standard. .. req:: EN-61508-1 clause 6.2.2: FS policy and strategy :id: EN_61508_1_6_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_002 The policy and strategy for achieving functional safety shall be specified, together with the means for evaluating their achievement, and the means by which they are communicated within the organization. .. req:: EN-61508-1 clause 6.2.3: identify responsible persons :id: EN_61508_1_6_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_003 All persons, departments and organizations responsible for carrying out activities in the applicable overall, E/E/PE system or software safety lifecycle phases (including persons responsible for verification and functional safety assessment and, where relevant, licensing authorities or safety regulatory bodies) shall be identified, and their responsibilities shall be fully and clearly communicated to them. .. req:: EN-61508-1 clause 6.2.4: communication procedures :id: EN_61508_1_6_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_002 Procedures shall be developed for defining what information is to be communicated, between relevant parties, and how that communication will take place. .. req:: EN-61508-1 clause 6.2.5: recommendation resolution procedures :id: EN_61508_1_6_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_004 Procedures shall be developed for ensuring prompt follow-up and satisfactory resolution of recommendations relating to E/E/PE safety-related systems, including those arising from: \a) hazard and risk analysis (see 7.4); \b) functional safety assessment (see Clause 8); \c) verification activities (see 7.18); \d) validation activities (see 7.8 and 7.14); \e) configuration management (see 6.2.10, 7.16, IEC 61508-2 and IEC 61508-3); \f) incident reporting and analysis (see 6.2.6). .. req:: EN-61508-1 clause 6.2.6: hazard-management procedures :id: EN_61508_1_6_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_005 Procedures shall be developed for ensuring that all detected hazardous events are analysed, and that recommendations are made to minimise the probability of a repeat occurrence. .. req:: EN-61508-1 clause 6.2.7: safety audit requirements :id: EN_61508_1_6_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_006 Requirements for periodic functional safety audits shall be specified, including: \a) the frequency of the functional safety audits; \b) the level of independence of those carrying out the audits; \c) the necessary documentation and follow-up activities. .. req:: EN-61508-1 clause 6.2.8: modification procedures :id: EN_61508_1_6_2_8 :tags: EN-61508-1 :derived: MOTIVATION_002_007 Procedures shall be developed for: \a) initiating modifications to the E/E/PE safety-related systems (see 7.16.2.2); \b) obtaining approval and authority for modifications. .. req:: EN-61508-1 clause 6.2.9: hazard info maintenance procedures :id: EN_61508_1_6_2_9 :tags: EN-61508-1 :derived: MANUALREQ_501_001 Procedures shall be developed for maintaining accurate information on hazards and hazardous events, safety functions and E/E/PE safety-related systems. .. req:: EN-61508-1 clause 6.2.10: procedure development guidelines :id: EN_61508_1_6_2_10 :tags: EN-61508-1 :derived: MOTIVATION_002_009 Procedures shall be developed for configuration management of the E/E/PE safety- related systems during the overall, E/E/PE system and software safety lifecycle phases, including in particular: \a) the point, in respect of specific phases, at which formal configuration control is to be implemented; \b) the procedures to be used for uniquely identifying all constituent parts of an item (hardware and software); \c) the procedures for preventing unauthorized items from entering service. .. req:: EN-61508-1 clause 6.2.11: emergency services training :id: EN_61508_1_6_2_11 :tags: EN-61508-1 :derived: MOTIVATION_002_010 Training and information for the emergency services shall be provided where appropriate. .. req:: EN-61508-1 clause 6.2.12: management and technical activities :id: EN_61508_1_6_2_12 :tags: EN-61508-1 :derived: MOTIVATION_002_011 Those individuals who have responsibility for one or more phases of the overall, E/E/PE system or software safety lifecycles shall, in respect of those phases for which they have responsibility and in accordance with the procedures defined in 6.2.1 to 6.2.11, specify all management and technical activities that are necessary to ensure the achievement, demonstration and maintenance of functional safety of the E/E/PE safety-related systems, including: \a) the selected measures and techniques used to meet the requirements of a specified clause or subclause (see IEC 61508-2, IEC 61508-3 and IEC 61508-6); \b) the functional safety assessment activities, and the way in which the achievement of functional safety will be demonstrated to those carrying out the functional safety assessment (see Clause 8); \c) the procedures for analysing operations and maintenance performance, in particular for * recognising systematic faults that could jeopardise functional safety, including procedures used during routine maintenance that detect recurring faults; * assessing whether the demand rates and failure rates during operation and maintenance are in accordance with assumptions made during the design of the system. .. req:: EN-61508-1 clause 6.2.13: responsible persons competence :id: EN_61508_1_6_2_13 :tags: EN-61508-1 :derived: MOTIVATION_002_012 Procedures shall be developed to ensure that all persons with responsibilities defined in accordance with 6.2.1 and 6.2.3 (i.e. including all persons involved in any overall, E/E/PE system or software lifecycle activity, including activities for verification, management of functional safety and functional safety assessment), shall have the appropriate competence (i.e. training, technical knowledge, experience and qualifications) relevant to the specific duties that they have to perform. Such procedures shall include requirements for the refreshing, updating and continued assessment of competence. .. req:: EN-61508-1 clause 6.2.14: competence appropriateness consideration :id: EN_61508_1_6_2_14 :tags: EN-61508-1 :derived: MOTIVATION_002_013 The appropriateness of competence shall be considered in relation to the particular application, taking into account all relevant factors including: \a) the responsibilities of the person; \b) the level of supervision required; \c) the potential consequences in the event of failure of the E/E/PE safety-related systems - the greater the consequences, the more rigorous shall be the specification of competence; \d) the safety integrity levels of the E/E/PE safety-related systems - the higher the safety integrity levels, the more rigorous shall be the specification of competence; \e) the novelty of the design, design procedures or application - the newer or more untried these are, the more rigorous shall be the specification of competence; \f) previous experience and its relevance to the specific duties to be performed and the technology being employed - the greater the required competence, the closer the fit shall be between the competences developed from previous experience and those required for the specific activities to be undertaken; \g) the type of competence appropriate to the circumstances (for example qualifications, experience, relevant training and subsequent practice, and leadership and decision-making abilities); \h) engineering knowledge appropriate to the application area and to the technology; \i) safety engineering knowledge appropriate to the technology; \j) knowledge of the legal and safety regulatory framework; \k) relevance of qualifications to specific activities to be performed. .. req:: EN-61508-1 clause 6.2.15: responsible persons competence specification :id: EN_61508_1_6_2_15 :tags: EN-61508-1 :derived: MOTIVATION_002_003 The competence of all persons with responsibilities defined in accordance with 6.2.1 and 6.2.3 shall be documented. .. req:: EN-61508-1 clause 6.2.16: implement and monitor activities specified in 6.2.2 - 6.2.15 :id: EN_61508_1_6_2_16 :tags: EN-61508-1 :derived: MOTIVATION_002_026 The activities specified as a result of 6.2.2 to 6.2.15 shall be implemented and monitored. .. req:: EN-61508-1 clause 6.2.17: qms :id: EN_61508_1_6_2_17 :tags: EN-61508-1 :derived: MOTIVATION_002_014 Suppliers providing products or services to an organization having overall responsibility for one or more phases of the overall, E/E/PE system or software safety lifecycles (see 6.2.1), shall deliver products or services as specified by that organization and shall have an appropriate quality management system. .. req:: EN-61508-1 clause 6.2.18: activities relating to the management of functional safety :id: EN_61508_1_6_2_18 :tags: EN-61508-1 :derived: MOTIVATION_002_015 Activities relating to the management of functional safety shall be applied at the relevant phases of the overall, E/E/PE system and software safety lifecycles (see 7.1.1.5). .. req:: EN-61508-1 clause 7.1.4.1: use overall safety lifecycle :id: EN_61508_1_7_1_4_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The overall safety lifecycle that shall be used as the basis for claiming conformance to this standard is that specified in Figure 2. If another overall safety lifecycle is used, it shall be specified as part of the management of functional safety activities (see Clause 6) and all the objectives and requirements in each clause or subclause in this standard shall be met. .. req:: EN-61508-1 clause 7.1.4.2: management shall run in parallell with lifecycle :id: EN_61508_1_7_1_4_2 :tags: EN-61508-1 :derived: MOTIVATION_002_016 The requirements for the management of functional safety (see Clause 6) shall run in parallel with the overall safety lifecycle phases. .. req:: EN-61508-1 clause 7.1.4.3: each phase shall be applied, or justified otherwise :id: EN_61508_1_7_1_4_3 :tags: EN-61508-1 :derived: MOTIVATION_002_017 Unless justified, each phase of the overall safety lifecycle shall be applied and the requirements met. .. req:: EN-61508-1 clause 7.1.4.4: divide phases into activites, inputs, outputs. :id: EN_61508_1_7_1_4_4 :tags: EN-61508-1 :derived: MOTIVATION_002_018 Each phase of the overall safety lifecycle shall be divided into elementary activities with the scope, inputs and outputs specified for each phase. .. req:: EN-61508-1 clause 7.1.4.5: scope and inputs per phase as specified in table 1 :id: EN_61508_1_7_1_4_5 :tags: EN-61508-1 :derived: MOTIVATION_002_019 The scope and inputs for each overall safety lifecycle phase shall be as specified in Table 1 unless justified as part of the management of functional safety activities (see Clause 6) or specified in the product or application sector international standard. .. req:: EN-61508-1 clause 7.1.4.6: outputs per phase as specified in table 1 :id: EN_61508_1_7_1_4_6 :tags: EN-61508-1 :derived: MOTIVATION_002_019 The outputs from each phase of the overall safety lifecycle shall be those specified in Table 1 unless justified as part of the management of functional safety activities (see Clause 6) or specified in the product or application sector international standard. .. req:: EN_61508_1 clause 7.1.4.7: lifecycle phase outputs shall meet requirements :id: EN_61508_1_7_1_4_7 :tags: EN-61508-1 :derived: MOTIVATION_002_020 The outputs from each phase of the overall safety lifecycle shall meet the objectives and requirements specified for each phase (see 7.2 to 7.17). .. req:: EN-61508-1 clause 7.1.4.8: verification requirements shall be met :id: EN_61508_1_7_1_4_8 :tags: EN-61508-1 :derived: MOTIVATION_002_021 The verification requirements that shall be met for each overall safety lifecycle phase are specified in 7.18. .. req:: EN-61508-1 clause 7.2.2.1: EUC familiarity :id: EN_61508_1_7_2_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A thorough familiarity shall be acquired of the EUC, its required control functions and its physical environment. .. req:: EN-61508-1 clause 7.2.2.2: determine likely sources of hazards :id: EN_61508_1_7_2_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The likely sources of hazards, hazardous situations and harmful events shall be determined. .. req:: EN-61508-1 clause 7.2.2.3: obtain info about hazards :id: EN_61508_1_7_2_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Information about the determined hazards shall be obtained (for example, duration, intensity, toxicity, exposure limit, mechanical force, explosive conditions, reactivity, flammability etc.). .. req:: EN-61508-1 clause 7.2.2.4: obtain safety regulations info :id: EN_61508_1_7_2_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Information about the current safety regulations (national and international) shall be obtained. .. req:: EN-61508-1 clause 7.2.2.5: consider hazards due to interaction with other EUCs :id: EN_61508_1_7_2_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Hazards, hazardous situations and harmful events due to interaction with other equipment or systems (installed or to be installed) of the EUC shall be considered together with other EUCs (installed or to be installed). .. req:: EN-61508-1 clause 7.2.2.6: document info from 7.2.2.1 - 7.2.2.5 :id: EN_61508_1_7_2_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information and results acquired in 7.2.2.1 to 7.2.2.5 shall be documented. .. req:: EN-61508-1 clause 7.3.2.1: define EUC boundary :id: EN_61508_1_7_3_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The boundary of the EUC and the EUC control system shall be defined so as to include all equipment and systems (including humans where appropriate) that are associated with relevant hazards and hazardous events. .. req:: EN-61508-1 clause 7.3.2.2: specify physical equipment in EUC :id: EN_61508_1_7_3_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The physical equipment, including the EUC and the EUC control system, to be included in the scope of the hazard and risk analysis shall be specified. .. req:: EN-61508-1 clause 7.3.2.3: specify external events to account for in risk analysis :id: EN_61508_1_7_3_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The external events to be taken into account in the hazard and risk analysis shall be specified. .. req:: EN-61508-1 clause 7.3.2.4: specify associated equipment and systems :id: EN_61508_1_7_3_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The equipment and systems that are associated with the hazards and hazardous events shall be specified. .. req:: EN-61508-1 clause 7.3.2.5: specify initiating event types :id: EN_61508_1_7_3_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The type of initiating events that need to be considered (for example component failures, procedural faults, human error, dependent failure mechanisms that can cause hazardous events) shall be specified. .. req:: EN-61508-1 clause 7.3.2.6: document information aquired in 7.3 reqs :id: EN_61508_1_7_3_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information and results acquired in 7.3.2.1 to 7.3.2.5 shall be documented. .. req:: EN-61508-1 clause 7.4.2.1: create hazard and risk analysis :id: EN_61508_1_7_4_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A hazard and risk analysis shall be undertaken which shall take into account information from the overall scope definition phase (see 7.3). If decisions are taken at later stages in the overall, E/E/PE system or software safety lifecycle phases that may change the basis on which the earlier decisions were taken, then a further hazard and risk analysis shall be undertaken. .. req:: EN-61508-1 clause 7.4.2.2: hazard elimination or reduction considerations :id: EN_61508_1_7_4_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Consideration shall be given to the elimination or reduction of the hazards. .. req:: EN-61508-1 clause 7.4.2.3: determine hazards for all circumstances :id: EN_61508_1_7_4_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The hazards, hazardous events and hazardous situations of the EUC and the EUC control system shall be determined under all reasonably foreseeable circumstances (including fault conditions, reasonably foreseeable misuse and malevolent or unauthorised action). This shall include all relevant human factor issues, and shall give particular attention to abnormal or infrequent modes of operation of the EUC. If the hazard analysis identifies that malevolent or unauthorised action, constituting a security threat, as being reasonably foreseeable, then a security threats analysis should be carried out. .. req:: EN-61508-1 clause 7.4.2.4: determine event sequences leading to hazard :id: EN_61508_1_7_4_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The event sequences leading to the hazardous events determined in 7.4.2.3 shall be determined. .. req:: EN-61508-1 clause 7.4.2.5: specify hazard likelihood :id: EN_61508_1_7_4_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The likelihood of the hazardous events for the conditions specified in 7.4.2.3 shall be evaluated. .. req:: EN-61508-1 clause 7.4.2.6: specify hazard event consequences :id: EN_61508_1_7_4_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The consequences associated with the hazardous events determined in 7.4.2.3 shall be determined. .. req:: EN-61508-1 clause 7.4.2.7: estimate risk for all hazardous events :id: EN_61508_1_7_4_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The EUC risk shall be evaluated, or estimated, for each determined hazardous event. .. req:: EN-61508-1 clause 7.4.2.8: 7.4 reqs be met by techniques :id: EN_61508_1_7_4_2_8 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The requirements of 7.4.2.1 to 7.4.2.7 can be met by the application of either qualitative or quantitative hazard and risk analysis techniques (see IEC 61508-5). .. req:: EN-61508-1 clause 7.4.2.9: techniques appropriateness factors :id: EN_61508_1_7_4_2_9 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The appropriateness of the techniques, and the extent to which the techniques will need to be applied, will depend on a number of factors, including: * the specific hazards and the consequences; * the complexity of the EUC and the EUC control system; * the application sector and its accepted good practices; * the legal and safety regulatory requirements; * the EUC risk; * the availability of accurate data upon which the hazard and risk analysis is to be based. .. req:: EN-61508-1 clause 7.4.2.10: hazard and risk analysis considerations :id: EN_61508_1_7_4_2_10 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The hazard and risk analysis shall consider the following: * each determined hazardous event and the components that contribute to it; * the consequences and likelihood of the event sequences with which each hazardous event is associated; * the tolerable risk for each hazardous event; * the measures taken to reduce or remove hazards and risks; * the assumptions made during the analysis of the risks, including the estimated demand rates and equipment failure rates; any credit taken for operational constraints or human intervention shall be detailed. .. req:: EN-61508-1 clause 7.4.2.11: document information in hazard and risk analysis :id: EN_61508_1_7_4_2_11 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information and results that constitute the hazard and risk analysis shall be documented. .. req:: EN-61508-1 clause 7.4.2.12: maintain risk analysis info throughout safety lifecycle :id: EN_61508_1_7_4_2_12 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information and results that constitute the hazard and risk analysis shall be maintained for the EUC and the EUC control system throughout the overall safety lifecycle, from the hazard and risk analysis phase to the decommissioning or disposal phase. .. req:: EN-61508-1 clause 7.5.2.1: develop necessary safety functions based on risk analysis :id: EN_61508_1_7_5_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A set of all necessary overall safety functions shall be developed based on the hazardous events derived from the hazard and risk analysis. This shall constitute the specification for the overall safety functions requirements. .. req:: EN-61508-1 clause 7.5.2.2: specify security requirements in vulnerability analysis :id: EN_61508_1_7_5_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 If security threats have been identified, then a vulnerability analysis should be undertaken in order to specify security requirements. .. req:: EN-61508-1 clause 7.5.2.3: determine SIL req for each safety function :id: EN_61508_1_7_5_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 For each overall safety function, a target safety integrity requirement shall be determined that will result in the tolerable risk being met. Each requirement may be determined in a quantitative and/or qualitative manner. This shall constitute the specification for the overall safety integrity requirements. .. req:: EN-61508-1 clause 7.5.2.4: specify overall SIL reqs in terms of risk reduction/tolerable hazard rate :id: EN_61508_1_7_5_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The overall safety integrity requirements shall be specified in terms of either * the risk reduction required to achieve the tolerable risk, or * the tolerable hazardous event rate so as to meet the tolerable risk. .. req:: EN-61508-1 clause 7.5.2.5: EUC control system dangerous failure rate :id: EN_61508_1_7_5_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 If, in assessing the EUC risk, the average frequency of dangerous failures of a single EUC control system function is claimed as being lower than 10E-5 dangerous failures per hour then the EUC control system shall be considered to be a safety-related control system subject to the requirements of this standard. .. req:: EN-61508-1 clause 7.5.2.6: non-safety EUC control system failure rates :id: EN_61508_1_7_5_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Where failures of the EUC control system place a demand on one or more E/E/PE safety-related systems and/or other risk reduction measures, and where the intention is not to designate the EUC control system as a safety-related system, the following requirements shall apply: \a) the rate of dangerous failure claimed for the EUC control system shall be supported by data acquired through one of the following: * actual operating experience of the EUC control system in a similar application; * a reliability analysis carried out to a recognised procedure; * an industry database of reliability of generic equipment; \b) the rate of dangerous failure that can be claimed for the EUC control system shall be no lower than 10E-5 dangerous failures per hour; \c) all reasonably foreseeable dangerous failure modes of the EUC control system shall be taken into account in developing the specification for the overall safety requirements; \d) the EUC control system shall be independent from the E/E/PE safety-related systems and other risk reduction measures. .. req:: EN-61508-1 clause 7.5.2.7: safety EUC control system failure rates :id: EN_61508_1_7_5_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_001 If the requirements of 7.5.2.6 a) to d) inclusive cannot be met, then the EUC control system shall be designated as a safety-related system. The safety integrity level of functions of the EUC control system shall be determined by the rate of dangerous failure that is claimed for the EUC control system in accordance with Table 3 (see Note 3 of 7.6.2.9). In such cases, the requirements in this standard, relevant to the allocated safety integrity level, shall apply to the EUC control system. .. req:: EN-61508-1 clause 7.6.2.1: specification of safety-related systems :id: EN_61508_1_7_6_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The designated safety-related systems that are to be used to achieve the required functional safety shall be specified. The tolerable risk may be met by * E/E/PE safety-related systems; and/or * other risk reduction measures. .. req:: EN-61508-1 clause 7.6.2.2: overall safety functions for E/E/PE safety-related systems :id: EN_61508_1_7_6_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 In allocating overall safety functions to the designated E/E/PE safety-related systems and other risk reduction measures, the skills and resources available during all phases of the overall safety lifecycle shall be considered. .. req:: EN-61508-1 clause 7.6.2.3: safety function allocation :id: EN_61508_1_7_6_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Each overall safety function, with its associated overall safety integrity requirement developed according to 7.5, shall be allocated to one or more of the designated E/E/PE safety- related systems and/or other risk reduction measures, so that the tolerable risk for the safety function is achieved. This allocation is iterative, and if it is found that the tolerable risk cannot be achieved, then the specifications for the EUC control system, the designated E/E/PE safety- related systems and the other risk reduction measures shall be modified and the allocation repeated. .. req:: EN-61508-1 clause 7.6.2.4: allocation shall subject to the requirements in 7.6.2.10 :id: EN_61508_1_7_6_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The allocation indicated in 7.6.2.3 shall be done in such a way that all overall safety functions are allocated and target failure measures are defined for each safety function (subject to the requirements specified in 7.6.2.10). .. req:: EN-61508-1 clause 7.6.2.5: specification of safety integrity requirements :id: EN_61508_1_7_6_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The safety integrity requirements for each safety function shall be specified in terms of either * the average probability of a dangerous failure on demand of the safety function, for a low demand mode of operation, or * the average frequency of a dangerous failure of the safety function [h-1] for a high demand or a continuous mode of operation. .. req:: EN-61508-1 clause 7.6.2.6: appropiate techniques for allocation :id: EN_61508_1_7_6_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The allocation of the safety integrity requirements shall be carried out using appropriate techniques for the combination of probabilities. .. req:: EN-61508-1 clause 7.6.2.7: handling possiblity of common cause failures :id: EN_61508_1_7_6_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The allocation shall proceed taking into account the possibility of common cause failures. If the EUC control system, E/E/PE safety-related systems and other risk reduction measures are to be treated as independent for the allocation, they shall: * be independent such that the likelihood of simultaneous failures between two or more of these different systems or measures is sufficiently low in relation to the required safety integrity; * be functionally diverse (i.e. use totally different approaches to achieve the same results); * be based on diverse technologies (i.e. use different types of equipment to achieve the same results); * not share common parts, services or support systems (for example power supplies) whose failure could result in a dangerous mode of failure of all systems; * not share common operational, maintenance or test procedures. Within common cause analysis, limiting and constraint conditions for the realisation of E/E/PE safety-related systems such as the aspect of necessary separation of different channels of an E/E/PE system, subsystem or element, for example by space, shall be checked - this may not allow for example for two channels/microprocessors on one board or for on-chip redundancy (see IEC 61508-2, Annex E). .. req:: EN-61508-1 clause 7.6.2.8: actions to take if requirements in 7.6.2.7 are not met :id: EN_61508_1_7_6_2_8 :tags: EN-61508-1 :derived: MOTIVATION_002_001 If not all of the requirements in 7.6.2.7 can be met then the E/E/PE safety-related systems and the other risk reduction measures shall not be treated as independent for the purposes of the safety allocation. Instead, the allocation shall take into account relevant common cause failures between the EUC control system, the E/E/PE safety-related systems and the other risk reduction measures. .. req:: EN-61508-1 clause 7.6.2.9: specification once allocation has been sufficently progressed :id: EN_61508_1_7_6_2_9 :tags: EN-61508-1 :derived: MOTIVATION_002_001 When the allocation has sufficiently progressed, the safety integrity requirements, for each safety function allocated to the E/E/PE safety-related system(s), shall be specified in terms of the safety integrity level in accordance with Table 2 or Table 3 and shall indicate whether the target failure measure is, either: * the average probability of dangerous failure on demand of the safety function, (PFDavg), for a low demand mode of operation (Table 2), or * the average frequency of a dangerous failure of the safety function [h-1], (PFH), for a high demand mode of operation (Table 3), or * the average frequency of a dangerous failure of the safety function [h-1], (PFH), for a continuous mode of operation (Table 3). .. req:: EN-61508-1 clause 7.6.2.10: handling safety-related hardware with insufficient independance of implementaton :id: EN_61508_1_7_6_2_10 :tags: EN-61508-1 :derived: MOTIVATION_002_001 For an E/E/PE safety-related system that implements safety functions of different safety integrity levels, unless it can be shown there is sufficient independence of implementation between these particular safety functions, those parts of the safety-related hardware and software where there is insufficient independence of implementation shall be treated as belonging to the safety function with the highest safety integrity level. Therefore, the requirements applicable to the highest relevant safety integrity level shall apply to all those parts. .. req:: EN-61508-1 clause 7.6.2.11: SIL 4 safety function allocation process result :id: EN_61508_1_7_6_2_11 :tags: EN-61508-1 :derived: MOTIVATION_002_001 In cases where the allocation process results in the requirement for an E/E/PE safety-related system implementing a SIL 4 safety function then the following shall apply: \a) There shall be a reconsideration of the application to determine if any of the risk parameters can be modified so that the requirement for a SIL 4 safety function is avoided. The review shall consider whether: * additional safety-related systems or other risk reduction measures, not based on E/E/PE safety-related systems, could be introduced; * the severity of the consequence could be reduced; * the likelihood of the specified consequence could be reduced. \b) If after further consideration of the application, it is decided to implement the SIL 4 safety function then a further risk assessment shall be carried out using a quantitative method that takes into consideration potential common cause failures between the E/E/PE safety- related system and: * any other systems whose failure would place a demand on it; and, * any other safety-related systems .. req:: EN-61508-1 clause 7.6.2.12: allocating safety functions :id: EN_61508_1_7_6_2_12 :tags: EN-61508-1 :derived: MOTIVATION_002_001 No single safety function in an E/E/PE safety-related system shall be allocated a target safety integrity lower than specified in Tables 2 and 3. That is, for safety-related systems operating in * a low demand mode of operation, the lower limit is set at an average probability of a dangerous failure on demand of the safety function of 10-5; * a high demand or a continuous mode of operation, the lower limit is set at an average frequency of a dangerous failure of 10-9 [h-1]). .. req:: EN-61508-1 clause 7.6.2.13: documentation of information and results from 7.6.2.1 to 7.6.2.12 :id: EN_61508_1_7_6_2_13 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information and results of the overall safety requirements allocation acquired in 7.6.2.1 to 7.6.2.12, together with any assumptions and justifications made (including assumptions concerning the other risk reduction measures that need to be managed throughout the life of the EUC), shall be documented. .. req:: EN-61508-1 clause 7.7.2.1: specification of a plan :id: EN_61508_1_7_7_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A plan shall be prepared that shall specify the following: \a) the routine actions that need to be carried out to maintain the required functional safety of the E/E/PE safety-related systems; \b) the actions and constraints that are necessary (for example during start-up, normal operation, routine testing, foreseeable disturbances, faults and shutdown) to prevent an unsafe state, to reduce the demands on the E/E/PE safety-related system, or reduce the consequences of the harmful events; \c) the documentation that needs to be maintained showing results of functional safety audits and tests; \d) the documentation that needs to be maintained on all hazardous events and all incidents with the potential to create a hazardous event; \e) the scope of the maintenance activities (as distinct from the modification activities); \f) the actions to be taken in the event of hazardous events occurring; \g) the contents of the chronological documentation of operation and maintenance activities (see 7.15). .. req:: EN-61508-1 clause 7.7.2.2: hardware fault tolerance :id: EN_61508_1_7_7_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The plan shall ensure, that if any subsystem of an E/E/PE safety related system with a hardware fault tolerance of zero is taken off-line for testing, the continuing safety of the EUC shall be maintained by additional measures and constraints. The safety integrity provided by the additional measures and constraints shall be at least equal to the safety integrity provided by the E/E/PE safety-related system during normal operation. In the case of any subsystem of an E/E/PE safety related system with a hardware fault tolerance greater than zero then at least one channel of the E/E/PE safety-related system shall remain in operation during testing and the testing shall be completed within the MTTR assumed in the calculations carried out to determine compliance with the target failure measure. .. req:: EN-61508-1 clause 7.7.2.3: routine maintenance activities :id: EN_61508_1_7_7_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The routine maintenance activities that are carried out to detect unrevealed faults shall be determined by a systematic analysis. .. req:: EN-61508-1 clause 7.7.2.4: plan agreement for maintaning E/E/PE safety-related systems :id: EN_61508_1_7_7_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The plan for maintaining the E/E/PE safety-related systems shall be agreed upon with those responsible for the operation and maintenance of * the E/E/PE safety-related systems; * the other risk reduction measures; and * the non-safety-related systems that have the potential to place demands on the E/E/PE safety-related systems or other risk reduction measures. .. req:: EN-61508-1 clause 7.8.2.1: development of a plan :id: EN_61508_1_7_8_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A plan shall be developed that shall include the following: \a) details of when the validation shall take place; \b) details of those who shall carry out the validation; \c) specification of the relevant modes of the EUC operation with their relationship to the E/E/PE safety-related system, including where applicable * preparation for use, including setting and adjustment; * start up; * teach; * automatic; * manual; * semi-automatic; * steady state of operation; * re-setting; * shut down; * maintenance; * reasonably foreseeable abnormal conditions; \d) specification of the E/E/PE safety-related systems that need to be validated for each mode of EUC operation before commissioning commences; \e) the technical strategy for the validation (for example analytical methods, statistical tests, etc.); \f) the measures, techniques and procedures that shall be used for confirming that the allocation of safety functions has been carried out correctly; this shall include confirmation that each safety function conforms * with the specification for the overall safety functions requirements, and * to the specification for the overall safety integrity requirements; \g) specific reference to each element contained in the outputs from 7.5 and 7.6; \h) the required environment in which the validation activities are to take place (for example, for tests this would include calibrated tools and equipment); \i) the pass and fail criteria; \j) the policies and procedures for evaluating the results of the validation, particularly failures. .. req:: EN-61508-1 clause 7.8.2.2: 7.8.2.1 documentation :id: EN_61508_1_7_8_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information from 7.8.2.1 shall be documented and shall constitute the plan for the overall safety validation of the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.9.2.1: plan for installation of E/E/PE safety-related systems :id: EN_61508_1_7_9_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A plan for the installation of the E/E/PE safety-related systems shall be developed, specifying \a) the installation schedule; \b) those responsible for different parts of the installation; \c) the procedures for the installation; \d) the sequence in which the various elements are integrated; \e) the criteria for declaring all or parts of the E/E/PE safety-related systems ready for installation and for declaring installation activities complete; \f) procedures for the resolution of failures and incompatibilities. .. req:: EN-61508-1 clause 7.9.2.2: plan for commissioning of E/E/PE safety-related systems :id: EN_61508_1_7_9_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 A plan for the commissioning of the E/E/PE safety-related systems shall be developed, specifying: \a) the commissioning schedule; \b) those responsible for different parts of the commissioning; \c) the procedures for the commissioning; \d) the relationships to the different steps in the installation; \e) the relationships to the validation. .. req:: EN-61508-1 clause 7.9.2.3: documentation of installation and commissioning :id: EN_61508_1_7_9_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The overall installation and commissioning planning shall be documented. .. req:: EN-61508-1 clause 7.10.2.1: SSRS from safety requirements allocation :id: EN_61508_1_7_10_2_1 :tags: EN-61508-1 :derived: MOTIVATION_114_001 The E/E/PE system safety requirements specification shall be derived from the allocation of safety requirements specified in 7.6 together with all relevant information related to the application. This information shall be made available to the E/E/PE safety-related system developer. .. req:: EN-61508-1 clause 7.10.2.2: requirements for safety functions :id: EN_61508_1_7_10_2_2 :tags: EN-61508-1 :derived: MOTIVATION_114_006 The E/E/PE system safety requirements specification shall contain requirements for the safety functions and their associated safety integrity levels. .. req:: EN-61508-1 clause 7.10.2.3: SSRS shall be available to the developers :id: EN_61508_1_7_10_2_3 :tags: EN-61508-1 :derived: MOTIVATION_114_002 The E/E/PE system safety requirements specification shall be made available to the developer of the E/E/PE safety-related system. .. req:: EN-61508-1 clause 7.10.2.4: E/E/PE system safety requirement specification structure :id: EN_61508_1_7_10_2_4 :tags: EN-61508-1 :derived: MOTIVATION_114_005 The E/E/PE system safety requirements specification shall be expressed and structured in such a way that it * is clear, precise, unambiguous, verifiable, testable, maintainable and feasible; * is written to aid comprehension by those who are likely to utilise the information at any stage of the E/E/PE system safety lifecycle; * is expressed in natural or formal language and/or logic, sequence or cause and effect diagrams that define the necessary safety functions with each safety function being individually defined. .. req:: EN-61508-1 clause 7.10.2.5: specification shall contain requirement functions and integrity from 7.10.2.6 and 7.10.2.7 :id: EN_61508_1_7_10_2_5 :tags: EN-61508-1 :derived: MOTIVATION_114_006 The specification of the E/E/PE system safety requirements shall contain the requirements for the E/E/PE system safety functions (see 7.10.2.6) and the requirements for E/E/PE system safety integrity (see 7.10.2.7). .. req:: EN-61508-1 clause 7.10.2.6: system safety functions requirement specification content :id: EN_61508_1_7_10_2_6 :tags: EN-61508-1 :derived: MOTIVATION_114_003 The E/E/PE system safety functions requirements specification shall contain: \a) a description of all the safety functions necessary to achieve the required functional safety, which shall, for each safety function, * provide comprehensive detailed requirements sufficient for the design and development of the E/E/PE safety-related systems, * include the manner in which the E/E/PE safety-related systems are intended to achieve or maintain a safe state for the EUC, * specify whether or not continuous control is required, and for what periods, in achieving or maintaining a safe state of the EUC, and * specify whether the safety function is applicable to E/E/PE safety-related systems operating in low demand, high demand or continuous modes of operation; \b) response time performance (i.e. the time within which it is necessary for the safety function to be completed); \c) E/E/PE safety-related system and operator interfaces that are necessary to achieve the required functional safety; \d) all information relevant to functional safety that may have an influence on the E/E/PE safety-related system design; \e) all interfaces, necessary for functional safety, between the E/E/PE safety-related systems and any other systems (either within, or outside, the EUC); \f) all relevant modes of operation of the EUC, including: * preparation for use including setting and adjustment, * start-up, teach, automatic, manual, semi-automatic, steady state of operation, * steady state of non-operation, re-setting, shut-down, maintenance, - reasonably foreseeable abnormal conditions; \g) all required modes of behaviour of the E/E/PE safety-related systems shall be specified. In particular, the failure behaviour and the required response in the event of failure (for example alarms, automatic shut-down, etc.) of the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.10.2.7: system safety integrity requirement specification content :id: EN_61508_1_7_10_2_7 :tags: EN-61508-1 :derived: MOTIVATION_114_004 The E/E/PE system safety integrity requirements specification shall contain: \a) the safety integrity level for each safety function and, when required, a specified value for the target failure measure; \b) the mode of operation (low demand, high demand or continuous) of each safety function; \c) the required duty cycle and lifetime; \d) the requirements, constraints, functions and facilities to enable the proof testing of the E/E/PE hardware to be undertaken; \e) the extremes of all environmental conditions that are likely to be encountered during the E/E/PE system safety lifecycle including manufacture, storage, transport, testing, installation, commissioning, operation and maintenance; \f) the electromagnetic immunity limits that are required to achieve functional safety. These limits should be derived taking into account both the electromagnetic environment and the required safety integrity levels (see IEC/TS 61000-1-2); \g) limiting and constraint conditions for the realisation of E/E/PE safety-related systems due to the possibility of common cause failures (see 7.6.2.7). .. req:: EN-61508-1 clause 7.13.2.1: installation activities :id: EN_61508_1_7_13_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Installation activities shall be carried out in accordance with the plan for the installation of the E/E/PE safety-related systems (see 7.9). .. req:: EN-61508-1 clause 7.13.2.2: information documentation during installation :id: EN_61508_1_7_13_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information documented during installation shall include * documentation of installation activities; * resolution of failures and incompatibilities. .. req:: EN-61508-1 clause 7.13.2.3: comissioning activities :id: EN_61508_1_7_13_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Commissioning activities shall be carried out in accordance with the plan for the commissioning of the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.13.2.4: information docucumentation requirements :id: EN_61508_1_7_13_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information documented during commissioning shall include * documentation of commissioning activities; * references to failure reports; * resolution of failures and incompatibilities. .. req:: EN-61508-1 clause 7.14.2.1: validation activities :id: EN_61508_1_7_14_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Validation activities shall be carried out in accordance with the overall safety validation plan for the E/E/PE safety-related systems (see 7.8). .. req:: EN-61508-1 clause 7.14.2.2: equipment for validation activities :id: EN_61508_1_7_14_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 All equipment used for quantitative measurements as part of the validation activities shall be calibrated against a specification traceable to a national standard or to the vendor specification. .. req:: EN-61508-1 clause 7.14.2.3: informational documentation during validation :id: EN_61508_1_7_14_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The information documented during validation shall include * documentation in chronological form of the validation activities; * the version of the specification for the overall safety requirements being used; * the safety function being validated (by test or by analysis); * tools and equipment used, along with calibration data; * the results of the validation activities; * configuration identification of the item under test, the procedures applied and the test environment; * discrepancies between expected and actual results. .. req:: EN-61508-1 clause 7.14.2.4: handling and documenting discrepencies for validation :id: EN_61508_1_7_14_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 When discrepancies occur between expected and actual results, the analysis made, and the decisions taken on whether to continue the validation or issue a change request and return to an earlier part of the validation, shall be documented. .. req:: EN-61508-1 clause 7.15.2.1: implementations :id: EN_61508_1_7_15_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The following shall be implemented: * the plan for operating and maintaining the E/E/PE safety-related systems (see 7.7); * the operation, maintenance and repair procedures for the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.15.2.2: implementation of items in 7.15.2.1 :id: EN_61508_1_7_15_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Implementation of the items specified in 7.15.2.1 shall include initiation of the following actions: * the implementation of procedures; * the following of maintenance schedules; * the maintaining of documentation; * the carrying out, periodically, of functional safety audits (see 6.2.7); * the documenting of modifications that have been made to the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.15.2.3: chronological documentation :id: EN_61508_1_7_15_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Chronological documentation of operation, repair and maintenance of the E/E/PE safety-related systems shall be maintained which shall contain the following information: * the results of functional safety audits and tests; * documentation of the time and cause of demands on the E/E/PE safety-related systems (in actual operation), together with the performance of the E/E/PE safety-related systems when subject to those demands, and the faults found during routine maintenance; * documentation of modifications that have been made to the EUC, to the EUC control system and to the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 7.15.2.4: requirements for chronological documentation :id: EN_61508_1_7_15_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The exact requirements for chronological documentation will be dependent on the specific product or application and shall, where relevant, be detailed in product and application sector international standards. .. req:: EN-61508-1 clause 7.16.2.1: planning procedures :id: EN_61508_1_7_16_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Prior to carrying out any modification or retrofit activity, procedures shall be planned (see 6.2.8). .. req:: EN-61508-1 clause 7_16_2_2: initialization of modification and retrofit phase :id: EN_61508_1_7_16_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The modification and retrofit phase shall be initiated only by the issue of an authorized request under the procedures for the management of functional safety (see 6.2.8). The request shall detail the following: * the determined hazards that may be affected; * the proposed change (both hardware and software); * the reasons for the change. .. req:: EN-61508-1 clause 7.16.2.3: impact analysis :id: EN_61508_1_7_16_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 An impact analysis shall be carried out that shall include an assessment of the impact of the proposed modification or retrofit activity on the functional safety of any E/E/PE safety-related system. The assessment shall include a hazard and risk analysis sufficient to determine the breadth and depth to which subsequent overall, E/E/PE system or software safety lifecycle phases will need to be undertaken. The assessment shall also consider the impact of other concurrent modification or retrofit activities, and shall also consider the functional safety both during and after the modification and retrofit activities have taken place. .. req:: EN-61508-1 clause 7.16.2.4: documentation of 7.16.2.3 :id: EN_61508_1_7_16_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The results described in 7.16.2.3 shall be documented. .. req:: EN-61508-1 clause 7.16.2.5: authorization dependencies :id: EN_61508_1_7_16_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Authorization to carry out the required modification or retrofit activity shall be dependent on the results of the impact analysis. .. req:: EN-61508-1 clause 7.16.2.6: handling modifications :id: EN_61508_1_7_16_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 All modifications that have an impact on the functional safety of any E/E/PE safety- related system shall initiate a return to an appropriate phase of the overall, E/E/PE system or software safety lifecycles. All subsequent phases shall then be carried out in accordance with the procedures specified for the specific phases in accordance with the requirements in this standard. .. req:: EN-61508-1 clause 7.16.2.7: establishing and maintaining chronological documentation :id: EN_61508_1_7_16_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Chronological documentation shall be established and maintained that shall document details of all modifications and retrofits, and shall include references to: * the modification or retrofit request; * the impact analysis; * reverification and revalidation of data and results; * all documents affected by the modification and retrofit activity. .. req:: EN-61508-1 clause 7.17.2.1: impact analysis prior to decommissioning/disposal activity :id: EN_61508_1_7_17_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Prior to any decommissioning or disposal activity, an impact analysis shall be carried out that shall include an assessment of the impact of the proposed decommissioning or disposal activity on the functional safety of any E/E/PE safety-related system associated with the EUC. The impact analysis shall also consider adjacent EUCs and the impact on their E/E/PE safety-related systems. The assessment shall include a hazard and risk analysis sufficient to determine the necessary breadth and depth of subsequent overall, E/E/PE system or software safety lifecycle phases. .. req:: EN-61508-1 clause 7.17.2.2: documentation of 7.17.2.1 :id: EN_61508_1_7_17_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The results described in 7.17.2.1 shall be documented. .. req:: EN-61508-1 clause 7.17.2.3: initiation of decommissioning/disposal phase :id: EN_61508_1_7_17_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The decommissioning or disposal phase shall only be initiated by the issue of an authorized request under the procedures for the management of functional safety (see Clause 6). .. req:: EN-61508-1 clause 7.17.2.4: decommissioning/disposal dependencies :id: EN_61508_1_7_17_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Authorization to carry out the required decommissioning or disposal shall be dependent on the results of the impact analysis. .. req:: EN-61508-1 clause 7.17.2.5: plan prior to decommissioning/disposal :id: EN_61508_1_7_17_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Prior to decommissioning or disposal taking place a plan shall be prepared that shall include procedures for: * the closing down of the E/E/PE safety-related systems; * dismantling the E/E/PE safety-related systems. .. req:: EN_61508_1 clause 7.17.2.6: decommissioning/disposal impact on E/E/PE safety-related system :id: EN_61508_1_7_17_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_001 If any decommissioning or disposal activity has an impact on the functional safety of any E/E/PE safety-related system, this shall initiate a return to the appropriate phase of the overall, E/E/PE system or software safety lifecycles. All subsequent phases shall then be carried out in accordance with the procedures specified in this standard for the safety integrity levels of the safety functions implemented by the E/E/PE safety-related systems. .. req:: EN_61508_1 clause 7.17.2.7: maintaning and establishing chronological documentation :id: EN_61508_1_7_17_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Chronological documentation shall be established and maintained that shall document details of the decommissioning or disposal activities and shall include references to: * the plan used for the decommissioning or disposal activities; * the impact analysis. .. req:: EN-61508-1 clause 7.18.2.1: a plan for the verification of each phase :id: EN_61508_1_7_18_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_001 For each phase of the overall, E/E/PE system and software safety lifecycles, a plan for the verification shall be established concurrently with the development for the phase. .. req:: EN_61508_1 clause 7.18.2.2: maintaning and establishing chronological documentation :id: EN_61508_1_7_18_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The verification plan shall document or refer to the criteria, techniques, tools to be used in the verification activities. .. req:: EN-61508-1 clause 7.18.2.3: verification plan :id: EN_61508_1_7_18_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_001 The verification shall be carried out according to the verification plan. .. req:: EN-61508-1 clause 7.18.2.4: collecting information and documenting evidence of verification activities :id: EN_61508_1_7_18_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_001 Information on the verification activities shall be collected and documented as evidence that the phase being verified has, in all respects, been satisfactorily completed. .. req:: EN-61508-1 clause 8.2.1: appointing people for FSA :id: EN_61508_1_8_2_1 :tags: EN-61508-1 :derived: MOTIVATION_002_025 One or more persons shall be appointed to carry out one or more functional safety assessments in order to arrive at a judgement on the adequacy of: * the functional safety achieved by the E/E/PE safety-related systems, within their particular environment, in respect to the relevant clauses of this standard; * the compliance to the relevant clauses of this standard, achieved in the case of elements/subsystems. .. req:: EN-61508-1 clause 8.2.2: FSA accessing peoples involvement :id: EN_61508_1_8_2_2 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Those carrying out a functional safety assessment shall have access to all persons involved in any overall, E/E/PE system or software safety lifecycle activity and all relevant information and equipment (both hardware and software). .. req:: EN-61508-1 clause 8.2.3: FSA application :id: EN_61508_1_8_2_3 :tags: EN-61508-1 :derived: MOTIVATION_002_025 A functional safety assessment shall be applied to all phases throughout the overall, E/E/PE system and software safety lifecycles, including documentation, verification and management of functional safety. .. req:: EN-61508-1 clause 8.2.4: FSA considerations :id: EN_61508_1_8_2_4 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Those carrying out a functional safety assessment shall consider the activities carried out and the outputs obtained during each phase of the overall, E/E/PE system and software safety lifecycles and judge whether adequate functional safety has been achieved based on the objectives and requirements in this standard. .. req:: EN-61508-1 clause 8.2.5: inclusion of relevent claims in FSA :id: EN_61508_1_8_2_5 :tags: EN-61508-1 :derived: MOTIVATION_002_025 All relevant claims of compliance made by suppliers and other parties responsible for achieving functional safety shall be included in the functional safety assessment. .. req:: EN-61508-1 clause 8.2.6: FSA may be carried out after each lifecycle phase :id: EN_61508_1_8_2_6 :tags: EN-61508-1 :derived: MOTIVATION_002_025 A functional safety assessment may be carried out after each phase of the overall, E/E/PE system and software safety lifecycles, or after a number of safety lifecycle phases, subject to the overriding requirement that a functional safety assessment shall be undertaken prior to the determined hazards being present. .. req:: EN-61508-1 clause 8.2.7: FSA inclusion of evidence assessment :id: EN_61508_1_8_2_7 :tags: EN-61508-1 :derived: MOTIVATION_002_025 A functional safety assessment shall include assessment of the evidence that functional safety audit(s) have been carried out (either full or partial) relevant to its scope. .. req:: EN-61508-1 clause 8.2.8: FSA considerations :id: EN_61508_1_8_2_8 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Each functional safety assessment shall consider at least the following: * the work done since the previous functional safety assessment; * the plans or strategy for implementing further functional safety assessments of the overall, E/E/PE system and software safety lifecycles; * the recommendations of the previous functional safety assessments and the extent to which changes have been made to meet them. .. req:: EN-61508-1 clause 8.2.9: FSA plan specification :id: EN_61508_1_8_2_9 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Each functional safety assessment shall be planned. The plan shall specify all information necessary to facilitate an effective assessment, including: * the scope of the functional safety assessment; * the organisations involved; * the resources required; * those to undertake the functional safety assessment; * the level of independence of those undertaking the functional safety assessment; * the competence of each person involved in the functional safety assessment; * the outputs from the functional safety assessment; * how the functional safety assessment relates to, and shall be integrated with, other functional safety assessments where appropriate (see 6.2.1). .. req:: EN-61508-1 clause 8.2.10: FSA plan approvement :id: EN_61508_1_8_2_10 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Prior to a functional safety assessment taking place, its plan shall be approved by those carrying it out and by those responsible for the management of functional safety. .. req:: EN-61508-1 clause 8.2.11: FSA documentation in accordance with the assessments plans :id: EN_61508_1_8_2_11 :tags: EN-61508-1 :derived: MOTIVATION_002_025 At the conclusion of a functional safety assessment, those carrying out the assessment shall document, in accordance with the assessment's plans and terms of reference: * the activities conducted; * the findings made; * the conclusions arrived at; * a judgement on the adequacy of functional safety in accordance with the requirements of this standard; * recommendations that arise from the assessment, including recommendations for acceptance, qualified acceptance or rejection. .. req:: EN-61508-1 clause 8.2.12: relevant outputs of FSA shall be made available :id: EN_61508_1_8_2_12 :tags: EN-61508-1 :derived: MOTIVATION_002_025 The relevant outputs of the functional safety assessment of a compliant item shall be made available to those having responsibilities for any overall, E/E/PE system or software safety lifecycle activity including the designers and assessors of the E/E/PE safety-related system. The output of the assessment of the E/E/PE safety-related system shall be made available to the E/E/PE system integrator. .. req:: EN-61508-1 clause 8.2.13: output of FSA inclusions :id: EN_61508_1_8_2_13 :tags: EN-61508-1 :derived: MOTIVATION_002_025 The output of the functional safety assessment of a compliant item shall include the following information to facilitate the re-use of the assessment results in the context of a larger system (see Annex D of IEC 61508-2; Annex D of IEC 61508-3 and 3.8.17 of IEC 61508-4). \a) the precise identification of the compliant item including the version of its hardware and software; \b) the conditions assumed during the assessment (e.g. the conditions of use of the E/E/PE safety-related system); \c) reference to the documentation evidence on which the assessment conclusion was based; \d) the procedures, methods and tools used for assessing the systematic capability along with the justification of its effectiveness; \e) the procedures, methods and tools used for assessing the hardware safety integrity together with the justification of the approach adopted and the quality of the data (e.g. the failure rate/distribution data sources); \f) the assessment results obtained in relation to the requirements of this standard and to the specification of the safety characteristics of the compliant item in its safety manual; \g) the accepted deviations to IEC 61508 requirements, with corresponding explanation and / or reference to evidence contained in documentation. .. req:: EN-61508-1 clause 8.2.14: FSA people shall be competent to requirements of 6.2.13 to 6.2.15 :id: EN_61508_1_8_2_14 :tags: EN-61508-1 :derived: MOTIVATION_002_025 Those carrying out a functional safety assessment shall be competent for the activities to be undertaken, according to the requirements of 6.2.13 to 6.2.15. .. req:: EN-61508-1 clause 8.2.15: minimum level of independence for FSA shall be specified according to table 4 and 5 :id: EN_61508_1_8_2_15 :tags: EN-61508-1 :derived: MOTIVATION_002_025 The minimum level of independence of those carrying out a functional safety assessment shall be as specified in Tables 4 and 5. Product and application sector international standards may specify, with respect to compliance to their standards, different levels of independence to those specified in Tables 4 and 5. The tables shall be interpreted as follows: * X: the level of independence specified is the minimum for the specified consequence (Table 4) or safety integrity level/systematic capability (Table 5). If a lower level of independence is adopted, then the rationale for using it shall be detailed. * X1 and X2: see 8.2.16. * Y: the level of independence specified is considered insufficient for the specified consequence (Table 4) or safety integrity level/ systematic capability (Table 5). .. req:: EN-61508-1 clause 8.2.16: determining the level of independence in the cells of tables 4 and 5 :id: EN_61508_1_8_2_16 :tags: EN-61508-1 :derived: MOTIVATION_002_025 In the context of Tables 4 and 5, only cells marked X, X1, X2 or Y shall be used as a basis for determining the level of independence. For cells marked X1 or X2, either X1 or X2 is applicable (not both), depending on a number of factors specific to the application. The rationale for choosing X1 or X2 should be detailed. Factors that will make X2 more appropriate than X1 are: * lack of previous experience with a similar design; * greater degree of complexity; * greater degree of novelty of design; * greater degree of novelty of technology. .. req:: EN-61508-1 clause 8.2.17: consequence values for table 4 :id: EN_61508_1_8_2_17 :tags: EN-61508-1 :derived: MOTIVATION_002_025 In the context of Table 4, the consequence values for the specified level of independence are: * Consequence A: minor injury (for example temporary loss of function); * Consequence B: serious permanent injury to one or more persons, death to one person; * Consequence C: death to several people; * Consequence D: very many people killed. The consequences specified in Table 4 are those that would arise in the event of failure of all the risk reduction measures including the E/E/PE safety-related systems. .. req:: EN-61508-1 clause 8.2.18: determining minimum levels of independence for table 5 :id: EN_61508_1_8_2_18 :tags: EN-61508-1 :derived: MOTIVATION_002_025 In the context of Table 5, the minimum levels of independence shall be based on the safety function, carried out by the E/E/PE safety-related system, that has the highest safety integrity level or for elements/subsystems, the highest systematic capability, specified in terms of the safety integrity level.