FSD011: Hazard and risk analysis¶
Title |
FSD011: Hazard and risk analysis |
Current version |
V1 |
Products |
Safety Simplifier |
Requirements |
61508-1 clause 7.4 (hazard and risk analysis) |
Purpose |
determine hazards, hazardous events and hazardous situations |
Input |
FSD010: Concept and overall scope definition |
Output |
FSD011: Hazard and risk analysis |
Table of contents¶
Description¶
This document describes the hazards and risks associated with the Safety Simplifier, from the scope defined in FSD010: Concept, overall scope definition, and market requirements.
Particular attention is given to abnormal and infrequent modes of operation, such as:
configuration
fatal error/safe state
startup
Hazardous events and hazardous situations¶
The following hazardous events and hazardous situations have been determined:
ID |
Title |
Status |
Derived |
|---|---|---|---|
Internal hardware failure |
PASS |
||
External hardware failure |
PASS |
||
Active or sporadically active outputs during system configuration |
PASS |
||
Active or sporadically active outputs in other Safety Simplifiers during system configuration |
PASS |
||
During service, replacement of a unit results in wrong configuration or pairing |
PASS |
||
Communication errors for all communication interfaces, as defined in 61784-3 |
PASS |
||
Power supply failures |
PASS |
||
Downloading of configuration to wrong destination nodes |
PASS |
||
Failure to download |
PASS |
||
Corrupted configuration |
PASS |
||
Too wide fault handling, false positives, and unreliable operation |
PASS |
||
Inaccurate time measurment in logic |
PASS |
||
Nodes being part of multiple networks, or networks including nodes that should not be part of the network |
PASS |
||
Unauthorized access (malicious and unintentional) |
PASS |
||
Environmental factors |
PASS |
||
Restart can cause undefined function |
PASS |
||
User interface controlling outputs |
PASS |
||
Nonsafe code/hardware affecting safety function |
PASS |
||
Active or sporadically active outputs after detecting a fault |
PASS |
||
Active or sporadically active outputs in other Safety Simplifiers after detecting a fault |
PASS |
||
Human error during configuration |
PASS |
||
Function block: SR-latch |
PASS |
||
Function block: Filter |
PASS |
||
Function block: Single Input |
PASS |
||
Function block: Single Input |
PASS |
||
Function block: Single Output GUI |
PASS |
An internal hardware failure in the Safety Simplifier can lead to inputs being read incorrectly, outputs being incorrectly active, or logic executing incorrectly. Faulty components, random component failure or wear, and environmental factors can all contribute to internal hardware failures. |
Inputs short circuited to high logic levels leading to incorrectly identifying an input as high even though it is not. Outputs short circuited to high logic levels leading to outputs being active even though they should not be. In contrast to Internal hardware failure (HAZARD_01), logic is not affected by external hardware failures. |
While a user is configuring a unit, outputs could be active or sporadically active, which could result in unsafe function. |
Hazard: Active or sporadically active outputs in other Safety Simplifiers during system configuration HAZARD_04
|
While a user is configuring a unit, outputs in other Safety Simplifiers could be active or sporadically active, which could result in unsafe function. |
After dectecting a dangerous fault and entering safe state, outputs could be active or sporadically active. |
Hazard: Active or sporadically active outputs in other Safety Simplifiers after detecting a fault HAZARD_6
|
After dectecting a dangerous fault and entering safe state, outputs in other Safety Simplifiers could be active or sporadically active. |
A mistake during configuration could lead to wrong units being paired, or units not being paired at all, while the user expected them to be paired. This is particularly relevant for configuration interfaces where the user is not directly connected to the unit, such as the radio and CAN interfaces. |
A mistake during servicing could lead to wrong units being paired or units not being paired at all, while the user expected them to be paired. |
Errors in communication can lead to undefined function. The following communication interfaces have to handle this:
|
No voltage, low voltage, high voltage, and unstable voltage can lead to undefined function. |
As a result of a user error or software error, a configuration can be downloaded to the wrong destination node. |
Due to an interruption during configuring a unit, the configuration was not completely downloaded, but the user believed it was. |
An interruption during download or a software error can lead to a corrupted configuration, which can lead to undefined function. |
If a user experiences too many false positives or faults that are unclear, they may start to circumvent safety functions. |
Software or hardware errors that cause time measurments to be incorrect may lead to errors in safety functions that rely on correct time and delays. |
Hazard: Nodes being part of multiple networks, or networks including nodes that should not be part of the network HAZARD_16
|
Nodes in a network listening to messages that are not intended for them can lead to undefined function. |
An Unauthorized user could, maliciously or unintentionally, remotely via radio or with physical access, reconfigure a system. |
Using the device outside its specified environmental conditions can lead to undefined function. |
A restart (power cycle, software reset or other) can lead to undefined function. |
A user interface (display, push buttons, USB, or other) could accidentally control outputs high. |
Nonsafe hardware or software could affect the safety function in an unintended way, leading to undefined function. |
Revision History¶
Date |
By |
Version |
Description |
|---|---|---|---|
2024-12-02 |
William |
V1 |
Initial version |
2025-01-30 |
William |
V2 |
Added HAZARD_20. Mapped hazards to requirements in FSD114. |