FSD120: System design requirements specification¶
Title |
FSD120: System design requirements specification |
Version |
V12 |
Products |
Safety Simplifier |
Requirements |
61508-2: clause 7.2 |
Purpose |
Specify overall design requirements |
Input |
FSD114: 61508-1 E/E/PE system safety requirements specification |
Output |
Table of contents¶
Introduction¶
This document corresponds to phase 10.1 of figure 2 in 61508-2.
For an overview of the general design of the system, refer to FSD120 Appendix 1.
This document identifies design requirements. They are either based on the SREQxx requirements, and thus uses the same reference number xx and called DREQxx_yy , or they are new design requirements, and are then named from DREQ101_yy as numbers. yy starts from 1.
Motivations for requirements in 61508-2¶
All design requirements are derived from safety requirements specified in FSD114: 61508-1 E/E/PE system safety requirements specification. |
a) b) See FSD107: System verification plan, validation test specifications and results chapter 2. The design requirements specification is written according to the requirements specified in 61508, and is written with the goal to be understandable for the people involved in the management, development, and FSA. c) See FSD107: System verification plan, validation test specifications and results chapter 2. All design requirements are derived from safety requirements specified in FSD114: 61508-1 E/E/PE system safety requirements specification. |
These points map to the requirements in 61508-2 clause 7.2.3.3. a) According to 7.4.4, claimed HW safety integrity is achieved by route 1H (hardware fault tolerance and safe failure fraction). See CAT4/HFT 1 (DREQ_CAT4_1), Logic redundancy 13849-1 (DREQ_REDUNDANCY_1) and PLC (SREQ_01B) and its derived requirements. b) See hardware calculations. HW Diagnostic Coverage is mainly implemented in software. See requirements derived from Startup/continous tests & d... (SREQ_16A) and Startup/continous tests & d... (SREQ_16B). Proof testing of output transistors Redundant outputs CAT4 (DREQ_01F), Transistor outputs 10 fits (DREQ_104A). To fulfil the requirements for all other parts of the hardware/software, units must also be manually restarted within a certain interval, as specified by Restart once per year (DREQ_112A). c) Different ways to achieve safe state are specified depending on the type of failure:
d) See Restart once per year (DREQ_112A). e) See EMC (DREQ_EMC_1), RED (Radio Equipment Direct... (DREQ_EMC_2), Environment tests 61131-2 (DREQ_113A), and Temperature tests (DREQ_17C). f) See EMC (DREQ_EMC_1) and RED (Radio Equipment Direct... (DREQ_EMC_2). g) Quality assurance/quality control measures are specified in FSD002: Management of functional safety, specifically recommendation resolution p... (MOTIVATION_002_004), hazard-management procedures (MOTIVATION_002_005), and modification procedures (MOTIVATION_002_007). |
Verification activities are specified in FSD107: System verification plan, validation test specifications and results. The system design requirements specification is completed in detail, each requirement depends on lower level/more detailed requirements and tests and are marked PASS when all derived requirements and tests are fulfilled and completed. Change management and modification is specified in FSD002: Management of functional safety. |
The techniques and measures are specified in FSD303: Techniques and measures. See table B.1. |
The implications of the design requirements on the architecture is considered during the design process. The architecture is closely related to the design requirements. See FSD115-Element Safety Functions, FSD304: System architecture description, FSD310: Software Flow Charts. |
DREQ summary¶
ID |
Title |
Source |
Status |
Derived |
|---|---|---|---|---|
CAT4/HFT 1 |
PASS |
|||
Logic redundancy 13849-1 |
PASS |
|||
Globally unique serial numbers |
PASS |
|||
Valid serial numbers |
PASS |
|||
Valid serial numbers |
PASS |
|||
Production procedures |
PASS |
|||
EMC |
PASS |
|||
RED (Radio Equipment Directive) |
PASS |
|||
Max total 70 fits |
PASS |
|||
Environment tests 61131-2 |
PASS |
|||
User manual response time formula |
PASS |
|||
Vibration tests |
PASS |
|||
Temperature tests |
PASS |
|||
Overheating shut off |
PASS |
|||
Voltage requirement |
PASS |
|||
Restart once per year |
PASS |
|||
Manual environmental conditions |
PASS |
|||
Manual, user configuration USB |
PASS |
|||
Manual, user configuration radio |
PASS |
|||
Manual, user configuration CAN |
PASS |
|||
Manual, trained personnel |
PASS |
|||
Manual, incident report |
PASS |
|||
Fatal error codes and mitigations |
PASS |
|||
PSU CAT4/SIL3 |
PASS |
|||
Loss of power safe state |
PASS |
|||
Under voltage safe state |
PASS |
|||
Unstable Voltage safe state |
PASS |
|||
Over Voltage safe state |
PASS |
|||
Power supply < 20 fits |
PASS |
|||
Safe after restart |
PASS |
SWSREQ_032E; SWSREQ_032A; SWSREQ_032B; SWSREQ_032C; SWSREQ_032D |
||
Redundant inputs |
PASS |
|||
Inputs < 10 fits |
PASS |
|||
Input voltage range |
PASS |
|||
Input asymmetrical resistor dividers |
PASS |
|||
Input signal types |
PASS |
|||
Two CPUs monitor inputs |
PASS |
|||
Input OFF/ON conditions |
PASS |
|||
Up to 14 inputs |
PASS |
|||
Combined inputs OFF/ON signal combinations |
PASS |
|||
Inputs startup test |
PASS |
|||
All inputs analog |
PASS |
|||
I/O ON and OFF states |
PASS |
|||
Coded input signals |
PASS |
|||
Redundant outputs CAT4 |
PASS |
|||
Transistor outputs 10 fits |
PASS |
|||
Transistor output distinguish faults |
PASS |
|||
Transistor outputs redundant transistors |
PASS |
|||
Outputs read back voltage |
PASS |
|||
OSSD |
PASS |
|||
OSSD detection same node |
PASS |
|||
14 transistor outputs |
PASS |
|||
Coded output signals |
PASS |
|||
Static and pulsed transistor outputs |
PASS |
|||
No external control |
PASS |
|||
Redundant relays |
PASS |
|||
Redundancy relays |
PASS |
|||
Relays 10 fits |
PASS |
|||
Relays in series/parallel |
PASS |
|||
Redundant CPUs |
PASS |
|||
Time reference crystal 100ppm |
PASS |
|||
Time reference crystal measurment |
PASS |
|||
Continuous flash tests |
PASS |
|||
Continuous RAM tests |
PASS |
|||
Configuration hash |
PASS |
|||
Configuration hash |
PASS |
|||
Logic < 10 fits |
PASS |
|||
Output as function of inputs |
PASS |
|||
Function block programming |
PASS |
|||
Function block development procedure |
PASS |
|||
Combo I/O min read time |
PASS |
|||
Input filtering |
PASS |
TEST_GUI_SYNC_INPUTS_1; TEST_GUI_SYNC_INPUTS_2; TEST_GUI_ADVANCED_INPUT_1 |
||
Selectable maximum communication reaction time |
PASS |
|||
User selectable max/min power supply voltage |
PASS |
|||
Logic calculation interval |
PASS |
|||
Logic calculation interval measurment |
PASS |
|||
Dangerous fault reaction time |
PASS |
|||
No user interface for unit setup |
PASS |
|||
Memory card replacement |
PASS |
|||
All code is safety code |
PASS |
|||
Operation modes |
PASS |
|||
Normal operation |
PASS |
|||
Safe state |
PASS |
|||
Safe state |
PASS |
|||
Internal failure safe state |
PASS |
|||
External failure safe state |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode |
PASS |
|||
Configuration mode interfaces |
PASS |
|||
Configuration download correct unit |
PASS |
|||
Configuration download correct unit |
PASS |
|||
Configuration download correct unit |
PASS |
|||
Configuration download success/fail |
PASS |
|||
CPU-CPU communication |
PASS |
|||
CPU-CPU communication white channel |
PASS |
|||
CPU-CPU communication CRC |
PASS |
|||
CPU-CPU communication timeout safe state |
PASS |
|||
CPU-CPU communication update frequency |
PASS |
|||
CPUs check compatible firmwares |
PASS |
|||
CPUs check same configuration |
PASS |
|||
CPUs check same configuration |
PASS |
|||
HW radio black channel |
PASS |
|||
Global memories |
PASS |
|||
Global memories per system |
PASS |
|||
Communication timeouts |
PASS |
|||
Radio timeout |
PASS |
|||
Global memories startup test |
PASS |
|||
No safety critical failure indication |
PASS |
|||
CAN communication HW |
PASS |
|||
CAN communication protocol |
PASS |
|||
Logic function |
PASS |
|||
Input/output signal combinations |
PASS |
SWSREQ_011A; SWSREQ_011B; SWSREQ_011C; SWSREQ_011D; SWSREQ_011E |
Design requirements¶
General¶
Safety Simplifier shall fulfil CAT4/HFT 1 and have SFF>99%. First stage of power supply shall have HFT 0. Single outputs shall fulfil CAT3. |
Safety Simplifier shall fulfil Redundancy according to 13849-1 CAT4 for logic. |
Each Safety Simplifier shall have a globally unique serial number from production. The serial number shall be defined as a 32bit unsigned integer between 1 and 0xFFFFFFFE. |
To minimize production errors, the serial number 0 and 0xFFFFFFFF shall be checked and handled as invalid. |
To allow Memory Card and simplifier to use the same series, simplifier shall only use serial numbers with even digits in the 10000s place, I.e. 0-9999, 20000-29999, 40000-49999, etc. Serial numbers with uneven digits in the 10000s place are reserved for memory cards. Note A simplifier may use the serial number of a memory card installed in it. This is to allow swapping a broken unit for a new one and not having to reprogram the whole system. |
The following procedures shall be implemented in production to fulfil Globally unique serial numbers (DREQ_28A), Valid serial numbers (DREQ_28B), and Valid serial numbers (DREQ_28C): |
Safety Simplifier shall fulfil IEC 61131-2. |
Safety Simplifier shall fulfil RED. |
To achieve SIL3 requirements, the PFHd for the total system shall not exceed 70 fits. |
The unit shall pass environment tests according to IEC 61131-2. |
A formula to calculate absolute maximum response time shall be found in the user manual. Intentional delays and SREQ-27 shall be included in the formula. |
Vibration test as specified by Environmental conditions (SREQ_17D) shall be made for at least one unit. |
Temperature test according to Environmental conditions (SREQ_17A), Storage temperature (SREQ_17B), and Operating temperature (SREQ_17C) shall be made for at least one unit. |
Internal temperature shall be measured during normal operation and if the measured tempereture exceeds 85°C degrees Celsius, the unit shall enter safe state. Note The internal temperature will be higher than the external temperature since the unit is closed and has a power supply that generates heat. The device is designed to be used in an environment where the external temperature is up to 60°C, so the internal temperature should not exceed 85°C in normal operation. |
The following voltage requirements shall be specified in the manual:
|
The unit shall be restarted at least once per year. If the application where it is used requires restarts more often than that, that requirement shall be fulfilled. This requirement shall be specified in the manual. |
The storage and operating environmental conditions shall be specified in the manual. |
The correct procedure for configuring units via USB shall be available to the user in the manual. |
The correct procedure for configuring units via radio shall be available to the user in the manual. It shall consider especially Configuration (SREQ_N_07B) and Configuration (SREQ_N_07D). |
The correct procedure for configuring units via CAN shall be available to the user in the manual. It shall consider especially Configuration (SREQ_N_07B) and Configuration (SREQ_N_07D). |
The level of qualification required of users shall be specified in the manual. |
|
All faults shall have unique error codes. For all faults, the cause and possible reason(s) for the fault shall be available to the user. |
Subsystems¶
Power supply¶
Power supply shall fulfil 13849-1 CAT4 and 61508 SIL3 requirements. |
Loss of power shall result in safe state. |
Under voltage shall result in safe state. The limit shall be configurable from 7V to 30V. The response time shall be minimum 500ms and maximum 1000ms. |
Unstable voltage shall result in safe state. Unstable voltage is here defined as voltage that do not fulfil requirements of Under voltage safe state (DREQ_24B) or Over Voltage safe state (DREQ_24D). |
Over Voltage shall result in safe state. The limit shall be configurable from 8V to 33V. The response time shall be minimum 500ms and maximum 1000ms. |
To achieve SIL3 requirements, the contribution from the power supply shall not exceed 20 fits. |
There shall be no hazard or dangerous situation created as a result of a unit restarting, no matter why or how it is restarted. This includes:
|
inputs¶
Redundancy according to 13849-1 CAT4 when inputs used in redundant configuration. |
To achieve SIL3 requirements, the contribution from the input shall not exceed 10 fits. |
Each input shall be able to detect voltage level from 0 - 30 V. |
Redundant inputs with asymmetrical resistor dividers shall be monitored continuously during operation. |
Each input shall be able to distinguish between different pulsed input from signals, i.e. A/B/C/D/E pulses, as defined in FSD210. |
Each input shall be monitored by two processors. |
Each input shall be able to be set to specified ON and OFF conditions handled by the software. See FSD210. |
Safety Simplifier shall have up to 14 inputs. |
A combination of ON and OFF conditions from inputs shall be able to be used for input logic conditions. |
A condition for start-up shall be configurable for inputs. Startup indicate that an input condition always must start with OFF condition before ON is possible at power on, after loss of energy and after return of bus communication. |
All transistor inputs shall be implemented in HW as analogue (AD converter) inputs. The software shall handle all required input types. |
All transistor I/O shall have a configurable ON and OFF state as specified in FSD210. |
Each Safety Simplifier shall have inputs that are able to distinguish between the output signals defined in Coded output signals (DREQ_126A). |
Transistor outputs¶
Transistor outputs shall fulfil 13849-1 CAT4 safety redundancy when used in redudundant configuration. |
To achieve SIL3 requirements, the contribution from the transistor outputs shall not exceed 10 fits. |
Transistor outputs shall be able to distinguish between external and internal detected faults. |
Each transistor output shall have two transistors which individually can set the output to zero voltage. |
Transistor outputs shall be able to detect voltage level on the output. |
Transistor outputs shall be able to be set as an OSSD output to detect external voltage connected to the output. |
Transistor outputs shall be able to detect short circuits between OSSD outputs from the same unit. |
Each Safety Simplifier shall have up to 14 transistor outputs. |
Each Safety Simplifier shall be able to send out minimum 4 different pulse coded signals, and their 4 inverses. |
The SW shall implement both static and pulsed outputs on all transistor outputs. |
There shall exist no external interface to directly control safety outputs. |
Relay outputs¶
Redundant relays shall be an optional output type. |
Relays in redundant configuration shall achieve redundancy according to 13849-1 CAT4. |
To achieve SIL3 requirements, the contribution from the relay outputs shall not exceed 10 fits. |
The output relays shall be able to be connected in parallel, in series, or separately. |
Logic and configuration¶
Two CPUs shall work in parallel to evaluate inputs, calculate the logic, and control/monitor the outputs. |
The reference timing source shall be implemented with a crystal or similar with maximum error of 100ppm over the full operating temperature span. |
The reference timing source shall be monitored by both CPUs. |
Flash memory tests shall be made in both CPUs continuously during operation. |
RAM tests shall be made in both CPUs continuously during operation. |
The configuration shall be protected by a 128bit secure hash (CHASKEY-8). |
The configuration hash shall be checked at startup. |
To achieve SIL3 requirements, the contribution from the logic shall not exceed 10 fits. |
Outputs on a node in a Simplifier system shall be able to be controlled by logic which depends on inputs from up to 16 nodes (including itself). |
The logic shall be configured by the user by means of function blocks. |
All safety related function blocks (inputs, logic and outputs) shall be developed according to the procedure specified in FSD123: Function block development procedure. |
For the special I/O type “combined I/O”, the logic shall be able to use the I/O as both input and output within 4 ms. I.e., the input part shall be read at least every 4 ms. The duty cycle when active/ON shall be at least 75%. |
The configuration shall have an option to select additional input filtering between 0 and 10000 ms. |
The maximum reaction time from detecting a stop condition from a safety device until the stop condition is achieved (= output/s set to zero) shall be configurable by the user. |
The programming tool shall provide setting of max and min supplied voltage to a safety simplifier. |
In normal operation mode, firwmare shall calculate the PLC logic at a fixed 1ms interval. The fixed interval is defined so that the average interval during 10 seconds fulfils Timing accuracy (SREQ_27). |
The time interval of the logic calculation shall be measured and verfied to fulfil Logic calculation interval (DREQ_108A). |
The maximum delay between a dangerous failure occuring in a unit and until all affected outputs in the complete system have reached safe state or design safe state, shall be the time defined in Dangerous failure response ... (SREQ_09B). |
There shall be no code that implements a user interface to setup or replace a unit from scratch, except that which is defined in Memory card replacement (DREQ_10B). |
There shall be a means to replace a unit by transferring its memory card to a new unit and following a replacement procedure. Note This is intended to “move” a configuration from a unit (usually defective) to a new unit, to allow for quick replacement of defective units. |
All code shall be considered safety code/safety related. |
Operation modes¶
The following modes of operation shall be implemented:
|
In the normal mode of operation, the unit can communicate via the different interfaces, and controls outputs based on inputs, according to the user configuration. |
In the safe state all outputs shall be monitored and contiuously set to safe state. |
The software shall implement safe state as a non-returning function: the only way to leave safe state shall be to restart the CPU. |
If a unit detects an internal dangerous failure, the unit shall go to safe state. |
If a dangerous external failure is detected, the relevant outputs shall go to design safe state. |
Configuration mode¶
The configuration mode shall be implemented as a non returning function. The only way to leave configuration mode is by a software reset or power cycle. |
In the configuration mode all outputs shall be continuously monitored and turned off. |
The configuration mode shall only be possible to enter at startup by a software reset. |
Code which handles configuration shall only be reachable in configuration mode. |
The configuration mode shall be protected by a password. If the password is incorrect, the unit shall ignore the request to enter configuration mode. Note If the password is incorrect, the unit continues what it is currently doing. |
If the configuration tool is connected but does not activate the configuration state, the Safety Simplifier shall work as normal. |
All configuration attempts when not in configuration mode shall be rejected. |
The configuration mode can be accessed via the following interfaces:
|
The PC tool shall verify that the destination unit is the correct unit specified by the user. |
The PC tool shall allow the user to visually identify units via radio. |
The PC tool shall allow the user to visually identify units via CAN. |
After downloading a configuration to one or more units, the PC software shall present the the success or failure to the user. |
CPU-CPU communication¶
The CPUs shall communicate with each other over a dedicated duplex communication channel. |
The C2C communication channel shall be implemented as a white channel. |
The CPU-CPU packets shall be protected by a 32bit CRC. |
If more than 20 packets in a row in either direction is lost or corrupt, the unit shall enter safe state. |
Both CPUs shall transmit a packet once every 1ms. |
The CPUs shall check each other’s SW version before starting normal operation. If they are not compatible, the unit shall enter safe state. |
The CPUs shall check the hash of each other’s configuration before starting normal operation. If they are not equal, the unit shall enter safe state. |
The serial number shall be programmed in CPU1 flash during production, and protected by a 32bit CRC. CPU1 shall check its production data by calculating the CRC, and also verify its valid (see Globally unique serial numbers (DREQ_28A)). If the production data is invalid or the serial number is invalid, the unit shall enter safe state. |
Radio¶
The HW radio communication shall be implemented as a black channel. |
A safety simplifier shall have a configurable number of transmitted “safe bits” (global memories), in groups of 16, up to 256. |
A safety simplifier network shall be able to share a maximum of 256 global memories. The configuration can allocate these in groups of 16 between the nodes in the network. Note For example, a system of 16 nodes can have node 1 with 8 memory groups (128 global memories), and node 2 with 8 memory groups, a total of 256 memories. The 14 other nodes don’t have any memories. |
All nodes in a system shall keep track of the timeouts from all other nodes. |
The radio timeout shall be configurable between 4ms up to 60000ms. |
Each global memory shall have a start-up function which can be selected. This means that the receiving node has to receive a valid 0 before it can accept a 1 (i.e., receiving a 1 after radio timeout or just after network startup does not result in a valid 1 in logic). |
There shall be no safety critical messages that indicate failures. All failure indications shall be implemented by detecting absence of safety packets (timeout). |
CAN¶
The HW CAN communication shall be implemented as a black channel. |
Two modes of CAN communication shall be available:
|
Safety Simplifier shall be able to be configured using Boolean algebra functions and numeric (integer) functions/operations. |
Input and Output signal combinations shall be configurable according to FSD209 and FSD210. |
Revision History¶
Date |
By |
Version |
Description |
|---|---|---|---|
2017-04-21 |
Mats Linger |
V1 |
Initial version |
2017-06-30 |
Mats Linger |
V2 |
Text changes, no change in requirements. |
2017-07-06 |
Mats Linger |
V3 |
Numbering changes and change requirements. |
2017-07-07 |
Mats Linger |
V4 |
Adding of requirements. |
2017-08-18 |
Mats Linger |
V5 |
Adding and adjusting requirements. |
2017-09-10 |
Mats Linger |
V6 |
Adjustments of numbers, text, DREQ red in list. |
2017-09-10 |
Mats Linger |
V7 |
Adding of DREQ 2.2. |
2017-10-11 |
Mats Linger |
V8 |
Change of DREQ107.1 and DREQ8.1. |
2018-04-11 |
Mats Linger |
V9 |
Change DREQ: 3.1, 7.1, 7.2, 7.3, 120.1, 122.1, and 127.1. |
2018-04-11 |
Mats Linger |
V10 |
Adjusted DREQ3. |
2018-05-02 |
Mats Linger |
V11 |
Adjusted DREQ8.1 Response time for pulses and DREQ7.3 Formula in manual. |
2023-09-01 |
William Forsdal |
V12 |
Copied over old document to new structure, no change in requirements. |
2023-09-01 |
William Forsdal |
V13 |
|
2025-08-05 |
William Forsdal |
V14 |
|