FSD114: 61508-1 E/E/PE system safety requirements specification¶
Title |
FSD114: 61508-1 E/E/PE system safety requirements specification |
Version |
V16 |
Products |
Safety Simplifier |
Requirements |
61508-2:7.2.3.1 |
Purpose |
Specify safety requirements |
Input |
FSD010: Concept, overall scope definition, and market requirements, FSD011: Hazard and risk analysis |
Output |
FSD114: 61508-1 E/E/PE system safety requirements specification |
Table of contents¶
Description¶
This document corresponds to phase 9 in Figure 2 - Overall safety lifecycle in IEC 61508-1.
Input to this document is the risk analysis FSD011: Hazard and risk analysis, as well as market requirements defined in FSD010: Concept, overall scope definition, and market requirements.
Motivations¶
Since the lifecycle phases before phase 9 are not performed (see Element safety function (MOTIVATION_002_001)) the inputs to phase 9 (this document) are the the risk analysis (FSD011: Hazard and risk analysis), and the market requirements (FSD010: Concept, overall scope definition, and market requirements). |
All developers have access to the documentation, including the system safety requirements specification. All developers also have direct communication with people involved with the documentation, management, and FSA. |
The system safety requirements specification is written according to the requirements specified in 61508, and is written with the goal to be understandable for the people involved in the management, development, and FSA. See test Phase 9 (TEST_107_001). |
The system safety requirements specification contains the system safety function requirements for the Safety Simplifier and the requirements for system safety integrity. SIL requirements is specified in SIL3/CAT4/PLe (SREQ_01A). The safety function requirements are derived from inputs to this document (risk analysis and market requirements). See Safety function requirements (MOTIVATION_114_003) and SIL requirements (MOTIVATION_114_004). |
a) First see Element safety function (MOTIVATION_002_001). Static safe state (SREQ_05) specifies safe state (no continuous control). High demand/continous mode (SREQ_06A) specifies high demand/continuous mode. b) Response time performance is specified in Max response time (SREQ_07), Response time (SREQ_08A), Link timeout (SREQ_08B), and Dangerous failure response ... (SREQ_09A). c) The operator interfaces are specified in No external control (SREQ_02), Means of configuration (SREQ_10A). d) See SIL3/CAT4/PLe (SREQ_01A). e) Interfaces to other safety-related systems include only Simplifier Gateway, which is covered by the SimpleCAN protocol specification. PC software is used to configure units and systems. See Means of configuration (SREQ_10A). f) N/A, EUC is not included in the scope. g) See Modes of operation (SREQ_15A) and Configuration mode (SREQ_15B). |
a) As per market requirement, SIL3 and PLe/Category 4 is required, see SIL3/CAT4/PLe (SREQ_01A). b) Continuous/high demand, according to 61508-1, table 3, which gives a target failure measure (probability of dangerous failure per hour) of ≥10-8 to ≤ 10-7. See High demand/continous mode (SREQ_06A) and High demand or continuous m... (SREQ_06B). c) Specified in FSD202. d) Proof testing activities are not used, instead automatic online diagnostic tests are implemented. See Startup/continous tests & d... (SREQ_16A). e) See Environmental conditions (SREQ_17A), Storage temperature (SREQ_17B), Operating temperature (SREQ_17C), Environmental conditions (SREQ_17D), and ES1 according to IEC/EN 623... (SREQ_18C). f) See CE/EMC (SREQ_19). g) Hardware common cause failure analysis in FSD203: Estimation of hardware common cause failures. |
The Safety Simplifier is a control system intended for implementation of the logic part (subsystem) of one or several safety functions for machinery (i.e. high-/continuous mode of operation). |
SREQ summary¶
ID |
Title |
Source |
Status |
Derived |
|---|---|---|---|---|
SIL3/CAT4/PLe |
PASS |
DREQ_CAT4_1; DREQ_103A; DREQ_REDUNDANCY_1; DREQ_EMC_1; DREQ_EMC_2; DREQ_107A; DREQ_113A; DREQ_17B; DREQ_17C |
||
PLC |
PASS |
DREQ_122A; DREQ_201A; DREQ_LOGIC_201A; DREQ_LOGIC_201B; DREQ_CAT4_1; DREQ_REDUNDANCY_1 |
||
No external control |
PASS |
|||
Internal failure monitoring |
PASS |
DREQ_28B; DREQ_111A; DREQ_16C; DREQ_01F; DREQ_115A; DREQ_115B; DREQ_201A; DREQ_27B; DREQ_16B; DREQ_16A; DREQ_108A; DREQ_C2C_6 |
||
Internal failure safe state |
PASS |
|||
External failure safe state |
PASS |
|||
Design safe state |
PASS |
|||
Static safe state |
PASS |
|||
High demand/continous mode |
PASS |
|||
High demand or continuous mode calculations |
PASS |
|||
Max response time |
PASS |
|||
Response time in user manual |
PASS |
|||
Response time |
PASS |
|||
Link timeout |
PASS |
|||
Dangerous failure response time |
PASS |
|||
Dangerous failure response time network |
PASS |
|||
Trained personnel |
PASS |
|||
Means of configuration |
PASS |
|||
Configuration authorization |
PASS |
|||
I/O ON/OFF states |
PASS |
|||
Safety manual |
PASS |
|||
Potential free outputs |
PASS |
|||
Digital outputs |
PASS |
DREQ_01F; DREQ_104A; DREQ_115A; DREQ_115B; DREQ_115C; DREQ_115D; DREQ_115E; DREQ_115F; DREQ_126A; DREQ_13A; DREQ_15A |
||
Digital inputs |
PASS |
DREQ_01C; DREQ_102A; DREQ_114A; DREQ_16C; DREQ_114B; DREQ_114C; DREQ_114D; DREQ_114E; DREQ_116B; DREQ_116C; DREQ_14A; DREQ_11A; DREQ_126B |
||
Modes of operation |
PASS |
DREQ_MODES_1; DREQ_NORMALMODE_1; DREQ_SAFESTAE_1; DREQ_SAFESTAE_2; DREQ_LOGIC_200A; DREQ_LOGIC_200B; DREQ_LOGIC_200C; DREQ_LOGIC_200D; DREQ_LOGIC_200G |
||
Startup/continous tests & diagnostic |
PASS |
|||
Startup/continous tests & diagnostic |
PASS |
|||
Environmental conditions |
PASS |
|||
Storage temperature |
PASS |
|||
Operating temperature |
PASS |
|||
Environmental conditions |
PASS |
|||
ES1 according to IEC/EN 62368-1 |
PASS |
|||
ES1 according to IEC/EN 62368-1 |
PASS |
DREQ_PSU_01; DREQ_24A; DREQ_24B; DREQ_24C; DREQ_24D; DREQ_101A; DREQ_111A; DREQ_124A |
||
ES1 according to IEC/EN 62368-1 |
PASS |
|||
CE/EMC |
PASS |
|||
Radio source nodes |
PASS |
|||
Safe state during software upgrade |
PASS |
|||
Communication timeout |
PASS |
|||
Power supply |
PASS |
|||
Input filter |
PASS |
|||
Input filter |
PASS |
|||
Timing accuracy |
PASS |
|||
Unique ID |
PASS |
|||
Unique ID |
PASS |
|||
Unique IDs |
PASS |
|||
Networks |
PASS |
|||
Non safety functions |
PASS |
|||
Dangerous internal hardware failures shall be detected |
PASS |
|||
External failures shall be detected and handled |
PASS |
|||
Safe state during configuration |
PASS |
|||
Safe state in other nodes during configuration |
PASS |
|||
Safe state during fatal error |
PASS |
|||
Safe state in other nodes during fatal error |
PASS |
|||
Procedures for correctly configuring Safety Simplifier |
PASS |
DREQ_MANUAL_20; DREQ_MANUAL_21; DREQ_MANUAL_22; DREQ_LOGIC_210B; DREQ_LOGIC_210C |
||
Configuration |
PASS |
|||
Configuration |
PASS |
|||
Configuration |
PASS |
DREQ_LOGIC_200E; DREQ_LOGIC_200H; DREQ_LOGIC_210A; DREQ_LOGIC_210B; DREQ_LOGIC_210C |
||
Radio communication |
PASS |
|||
CAN communication |
PASS |
|||
General black channel interface |
PASS |
|||
CPU2CPU communication |
PASS |
DREQ_C2C_1; DREQ_C2C_2; DREQ_C2C_3; DREQ_C2C_4; DREQ_C2C_5; DREQ_C2C_6; DREQ_C2C_7; DREQ_C2C_8 |
||
Power supply |
PASS |
|||
Fault handling |
PASS |
|||
Fault handling |
PASS |
|||
Fault handling |
PASS |
|||
Time measurment accuracy |
PASS |
|||
Time measurment faults |
PASS |
|||
All units shall have a unique identifier |
PASS |
|||
All nodes in a network shall be specified in the configuration |
PASS |
|||
Unauthorized use |
PASS |
|||
Environmental conditions |
PASS |
SREQ_17A; SREQ_17B; SREQ_17C; SREQ_17D; SREQ_18A; SREQ_18B; SREQ_18C; SREQ_19 |
||
Restart and reset |
PASS |
Safety requirements¶
All possible internal hardware failures that may lead to a loss of safety function shall be monitored, detected, and handled. |
Dangerous external hardware failures shall be detected and handled. |
During configuration, all outputs shall be in a safe state. |
During configuration of a unit, relevant outputs in other units shall be in a safe state. |
In case of a dangerous fault being detected, all outputs shall be in a safe state. |
In case of a fatal error in a unit, relevant outputs in other units shall be in a safe state. Note This is handled via radio timeout = resulting in all affected outputs going to OFF state, which is the design safe state as implemented by the user (see Design safe state (SREQ_04B)). |
Procedures for correctly identifying units for configuring shall be provided to end users. |
The success or failure of a configuration attempt shall be clear to the user. |
Corrupted configurations shall be detected and handled. |
During configuration, the firmware and PC configuration software shall guarantee that the configuration is downloaded to the correct unit. |
The radio communication interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. |
The CAN communication interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. The safety CAN communication protocol shall be SimpleCAN (as specified in FSD350). |
The general black channel interface shall fulfil the requirements for black channel communication as defined in IEC 61784-3. |
The CPU2CPU communication shall fulfil the requirements for white channel communication as defined in IEC 61508 and IEC 61784-3. |
No voltage, low voltage, high voltage, and unstable voltage shall be detected and handled. |
Fault monitoring shall not lead to false positives, and normal operation shall be stable. |
If a fault is detected, the cause and mitigation of that fault shall be clear to the user. |
Common input signal errors (such as disturbances and noisy signals), up to reasonable specific limits (such as frequency, voltage, and duration), shall be handled. |
All timing requirements shall be specified and met, within a reasonable specified margin. |
Hardware and software relating to time measurement shall be monitored for faults that can cause timing inaccuracies. |
All units shall have a unique identifier, which cannot be changed. Note Unique in the context of Safety Simplifier, i.e., two Safety Simplifiers shall not have the same identifier. |
The configuration shall specify all nodes that are part of the network by their unique identifier. |
Unauthorized users shall not be able to reconfigure a unit. |
The environmental conditions that the Safety Simplifier can be used in shall be specified. Todo Is the environmental conditions rather a market requirement? |
Restart and reset shall not result in a hazard or unsafe function. |
The Safety Simplifier shall implement part (as logic subsystem) of one or several overall safety function(s) operating on an EUC within scope of the Machinery Directive 2006/42/EC and assigned/associated with a safety integrity requirement up to SIL 3 (IEC 61508) and/or PLe / CAT 4 (ISO 13849-1). |
The element safety function of the Safety simplifier shall provide output signals in accordance to a user defined algorithm/configuration in combination with the signals on its inputs, up to SIL 3/PL e. |
There shall exist no external interface to directly control safety outputs. |
All possible internal dangerous failures shall be monitored, detected, and handled. |
If an internal dangerous failure is detected, the unit shall enter safe state, as defined in Static safe state (SREQ_05). |
If an external dangerous failure is detected, all affected outputs in all affected units shall either go low (0V) or go into OFF-state depending on the detected failure. Note OFF-state is not the same as “turning off”. OFF-state for transistor outputs is a “design safe state” defined by the user. |
Design safe state shall be defined as either safe state or OFF-state. The system integrator defines the design safe state. |
The Safety Simplifier shall achieve a safe state in a static manner by all outputs going low (0V), i.e. no continuous control is needed. This shall be defined as “Safe state”. |
The element safety functions provided by the simplifier system shall operate in high demand or continuous mode. |
High demand or continuous mode shall be used for calculation of PFHd MTTFd. |
The absolute maximum time delay (response time) \(T_{Rmax}\), shall not exceed \(T_{Rmax} = T_R + T_{CL}\) Response time \(T_R\) is defined in Response time (SREQ_08A). Maximum configurable link timeout \(T_{CL}\) is defined in Link timeout (SREQ_08B). Note Response times defined here do not consider filtering and delays defined by the integrator. |
A method to calculate the overall response time shall be available to users. |
For valid I/O signals, the response time from input to output shall not exceed: \(T_R = T_I + T_L + T_O\) where:
Note Response times defined here do not consider filtering and delays defined by the integrator. Todo input/logic/output response time table. |
The communication link timeout \(T_{CL}\) shall be configurable in the range 2ms-60000ms. Note Normally, values outside the range ~10ms to ~2s are exceptional, but allowed by these safety requirements for special applications. |
The maximum delay between a dangerous failure occuring in a unit and safe state is reached in the unit shall be 500ms. |
The maximum delay between a dangerous failure occuring in a unit and until all affected outputs in the complete system have reached safe state or design safe state, shall be \(T_{Rmax} + 500\) ms. \(T_{Rmax}\) is defined in Max response time (SREQ_07). Note The complete system here refers to all nodes in a network that depend on inputs from the node that detected the failure. |
There shall be no user interface to replace units. For commissioning and replacement (including repairs), all units shall be programmed by a PC or a memory card. |
All changes to configuration by PC shall be authorized by a password. |
All I/O shall have a defined ON-state and OFF-state. Note The ON and OFF states are defined by defining the signal types of all I/Os in ON and OFF state. |
Safety Simplifier shall have optional potential free outputs. |
Safety Simplifier shall have optional static and coded transistor outputs. |
The Safety Simplifier shall have static, coded and analogue inputs. Note The analogue inputs can be used as digital inputs via a comparator. |
The following modes of operation shall be available:
|
There shall exist a configuration mode which is the only mode where a new configuration is accepted. In configuration mode, the unit shall be in safe state as defined in Static safe state (SREQ_05). |
There shall exist a fatal error mode where the unit shall be in safe state as defined in Static safe state (SREQ_05). If a fatal error is detected, the unit shall enter this mode. All parts of the system that are affected by the fatal error shall be switched off/unavailable. |
Automatic diagnostic test shall be either start-up tests or continuous tests during operation. |
A restart (such as power cycle or software reset) shall not result in an unsafe function. |
The environmental conditions that the device is considered to be exposed to during its lifecycle (except during testing) are temperature (operation and storage), humidity (operation and storage), and vibration (operation and storage). |
The test requirement for storage temperature shall be -40°C to +70°C and storage humidity less than 95%. |
For units in IP65 enclosure, the test requirement for operating temperature shall be -30°C to +60°C and operating humidity less than 95%. |
The test requirement for vibration shall be according to 3G 5-300Hz. |
Safety simplifier power supply shall fulfil requirements for ES1 according to IEC/EN 62368-1. |
Safety simplifier power supply voltage shall be within minimum 7VDC up to maximum 33VDC. |
For interfacing the Safety Simplifier to other devices, all voltages shall be below 50V. |
Safety Simplfier shall fulfil the requirements for CE. |
A node shall only use safety data via radio or CAN from other nodes that are part of its network. |
A node shall not be part of any safety function during software upgrade (safe state). |
After link timeout (radio and CAN), a receiving node shall consider all safety signals from the timed out node as 0. Note Signals defined as non-safe may be used as the last valid value. |
Safety Simplifier shall handle the following power supply failures:
|
Input signal noise shall be handled. |
Input signals shall have configurable filter. |
All timing shall be performed with an accuracy better than 2ms + 0.1%. |
Each Safety Simplifier shall have a unique ID. |
Each memory card module shall have a unique ID. |
Memory cards and Safety Simplifier shall use the same ID series. |
A node which transmits safety data shall seed the checksum with its own unique ID, or the ID of an installed memory card module. Note Using the ID of the memory card is to allow exchanging units by moving the memory card, without needing to reconfigure the whole network. |
Only trained personnel following design procedure shall be allowed to configure a simplifier. |
The safety manual shall fulfill the requirements for safety manual in 61508. |
Non safety related functions in hardware and software shall not interfere with safety functions in an unsafe manner. Note Non safety related functions are functions such as diagnostics, configuration, monitoring, and debugging. |
Revision History¶
Date |
By |
Version |
Description |
|---|---|---|---|
2017-02-23 |
Mats Linger |
V1 |
Initial version |
2017-03-02 |
Mats Linger |
V2 |
Added Req11 |
2017-06-30 |
Mats Linger |
V8 |
Correction of text, no change in requirements. |
2017-07-07 |
Mats Linger |
V9 |
SREQ 28 and SREQ 29 |
2017-08-18 |
Mats Linger |
V10 |
SREQ 10 changed. |
2017-09-10 |
Mats Linger |
V11 |
SREQ 8 changed |
2017-10-09 |
Mats Linger |
V12 |
SREQ 7 & 8 changed |
2018-04-12 |
Mats Linger |
V13 |
Figure redrawn, no changes |
2018-04-16 |
Mats Linger |
V14 |
SREQ 4 change to affected unit. |
2018-05-02 |
Mats Linger |
V15 |
Modified SREQ8 |
2023-08-15 |
William Forsdal |
V16 |
Changes:
|
2024-11-15 |
William Forsdal |
V17 |
Changes:
|
2024-12-02 |
William Forsdal |
V18 |
Changes:
|
2025-01-14 |
William Forsdal |
V18 |
Changes:
|