FSD501: Safety Manual Requirements¶
Title |
FSD501: Safety Manual Requirements |
Version |
V1 |
Products |
Safety Simplifier |
Requirements |
61508-2 annex D, 61508-3 annex D |
Purpose |
Define the requirements for the safety manual. |
Input |
N/A |
Output |
N/A |
Table of contents¶
Description¶
This document specifies the safety manual requirements identified from the output of phase 10.3 and during the development of the product, as well as the applicable requirements from EN 61508-2 Annex D and EN61508-3 Annex D.
ID |
Title |
Status |
|---|---|---|
61508-2 Annex D.2.1 a) |
PASS |
|
61508-2 Annex D.2.1 b) |
PASS |
|
61508-2 Annex D.2.1 c) |
PASS |
|
61508-2 Annex D.2.2 a) |
PASS |
|
61508-2 Annex D.2.2 b) |
PASS |
|
61508-2 Annex D.2.2 c) |
PASS |
|
61508-2 Annex D.2.2 d) |
PASS |
|
61508-2 Annex D.2.2 e) |
PASS |
|
61508-2 Annex D.2.2 f) |
PASS |
|
61508-2 Annex D.2.2 g) |
PASS |
|
61508-2 Annex D.2.2 h) |
PASS |
|
61508-2 Annex D.2.2 i) |
PASS |
|
61508-2 Annex D.2.2 j) |
PASS |
|
61508-2 Annex D.2.2 k) |
PASS |
|
61508-3 Annex D.1.1 |
PASS |
|
61508-3 Annex D.1.2 |
PASS |
|
61508-3 Annex D.1.3 |
PASS |
|
61508-3 Annex D.2.1 |
PASS |
|
61508-3 Annex D.2.2 |
PASS |
|
61508-3 Annex D.2.3 a) |
PASS |
|
61508-3 Annex D.2.3 b) |
PASS |
|
61508-3 Annex D.2.3 c) |
PASS |
|
61508-3 Annex D.2.4 a) |
PASS |
|
61508-3 Annex D.2.4 b) |
PASS |
|
61508-3 Annex D.2.4 c) |
PASS |
|
61508-3 Annex D.2.4 d) |
PASS |
|
61508-3 Annex D.2.4 e) |
PASS |
|
61508-3 Annex D.2.4 f) |
PASS |
|
61508-3 Annex D.2.4 g) |
PASS |
|
61508-3 Annex D.2.4 h) |
PASS |
|
61508-3 Annex D.2.4 i) |
PASS |
|
61508-3 Annex D.2.4 j) |
PASS |
|
61508-3 Annex D.2.4 k) |
PASS |
|
61508-3 Annex D.2.4 l) |
PASS |
|
61508-3 Annex D.2.4 m) |
PASS |
|
61508-3 Annex D.2.4 n) |
PASS |
|
61508-3 Annex D.3.1 |
PASS |
|
61508-3 Annex D.3.2 |
PASS |
|
61508-3 Annex D.3.3 |
PASS |
Motivations 61508-2 chapter 7.6.2¶
a) No parts with pre-defined life in the Safety Simplifier. See manual section 1.6. Replacement of a Safety Simplifier unit is done by replacement of the entire unit. b) Throughout the manual. See mainly manual chapter 3. c) Formulas for PFH-d values are in chapter 9 and calculating reaction time chapter 10. See also chapter 4.1 d) See RISE test report in manual. e) See section 1.6. f) See section 1.6. g) See section 1.6 and chapter 13. |
The manual is continuously updated. Every work package (FSWPxxxx) specifies the necessary changes to the manual under “Manuals/Documentation”. The procedure for developing new function blocks include specifying the necessary changes to the manual. The latest version of the manual is always available from SSP North and directly in the PC configuration tool (Simplifier Manager). |
The manual adds requirement to restart the product at least once per year. This is due to some internal tests are only made at startup. Besides this:
|
The only maintenance requirement for a working system is to restart it at least once per year. As the Simplifier works in high-/continuous mode of operation and all outputs fall (turn off) for fatal error, an EUC cannot be designed to have a dangerous situation due to restart. |
Chapter 4 technical data contains the minimum and maximum voltages for the power supply. |
Chapter 3. |
Chapter 4 technical data contains the storage and operating temperature requirements for the Safety Simplifier. |
Chapter 13.8.2 |
Chapter 13.8.3 |
Chapter 13.8.2 |
SimpleCAN manual. |
Chapter 1.4. |
Chapter 1.3. |
PC software displays error codes in the event of a fatal error. Manual lists all fatal error codes in chapter 11.9.3.16. |
Requirements¶
The user manual shall contain information and warnings for potential hazards. Customers are responsible for reporting hazardous incidents to SSP North AB, and this shall be documented in the user manual.
|
Requirements from 61508-2 Annex D¶
The safety manual shall include a functional specification of the functions capable of being performed. |
The safety manual shall include identification of the hardware and/or software configuration of the compliant item to enable configuration management of the E/E/PE safety-related system in accordance with 6.2.1 of IEC 61508-1. |
The safety manual shall include constraints on the use of the compliant item and/or assumptions on which analysis of the behaviour or failure rates of the item are based. |
The safety manual shall include the failure modes of the compliant item (in terms of the behaviour of its outputs), due to random hardware failures, that result in a failure of the function and that are not detected by diagnostics internal to the compliant item. |
The safety manual shall include for every failure mode in a), an estimated failure rate. |
The safety manual shall include the failure modes of the compliant item (in terms of the behaviour of its outputs), due to random hardware failures, that result in a failure of the function and that are detected by diagnostics internal to the compliant item. |
The safety manual shall include the failure modes of the diagnostics, internal to the compliant item (in terms of the behaviour of its outputs), due to random hardware failures, that result in a failure of the diagnostics to detect failures of the function. |
The safety manual shall include for every failure mode in c) and d), the estimated failure rate. |
The safety manual shall include for every failure mode in c) that is detected by diagnostics internal to the compliant item, the diagnostic test interval. |
The safety manual shall include for every failure mode in c) the outputs of the compliant item initiated by the internal diagnostics. |
The safety manual shall include any periodic proof test and/or maintenance requirements. |
The safety manual shall include for those failure modes, in respect of a specified function, that are capable of being detected by external diagnostics, sufficient information shall be provided to facilitate the development of an external diagnostic capability. The information shall include details of failure modes and for those failure modes the failure rates. |
The safety manual shall include the hardware fault tolerance. |
The safety manual shall include the classification as type A or type B of that part of the compliant item that provides the function (see 7.4.4.1.2 and 7.4.4.1.3). |
1. Requirements from 61508-3 Annex D¶
When an element is re-used or is intended to be re-used in one or more other system developments, it is necessary to ensure that the element is accompanied by a sufficiently precise and complete description (i.e. functions, constraints and evidence), to make possible an assessment of the integrity of a specific safety function that depends wholly or partly on the element. This shall be implemented by means of a safety manual. |
The safety manual may consist of the element supplier’s documentation if this is adequate to meet the requirements of Annexe D of IEC 61508-2 and of this annex. Otherwise it should be created as part of the design of the safety related system. |
The safety manual shall define the attributes of an element, which may comprise hardware constraints and/or software of which the integrator shall be aware and take into consideration during application. In particular it forms the vehicle for informing the integrator of its properties and what the element was designed for, its behaviour and characteristics. |
The safety manual shall contain all the information required by IEC 61508-2 Annex D, that is relevant to the element. E.g. the hardware-related items of IEC 61508-2 Annex D are not relevant to a purely software element. |
The element shall be identified and all necessary instructions for its use shall be available to the integrator. |
The configuration of the software element, the software and hardware run-time environment and if necessary the configuration of the compilation / link system shall be documented in the safety manual. |
The recommended configuration of the software element shall be documented in the safety manual and that configuration shall be used in safety application. |
The safety manual shall include all the assumptions made on which the justification for use of the element depends. |
Competence: The minimum degree of knowledge expected of the integrator of the element should be specified, i.e. knowledge of specific application tools. |
Degree of reliance placed on the element: Details of any certification of the element, independent assessment performed, integrity to which the integrator may place on the pre-existing element. This should include the integrity to which the element was designed, the standards that were followed during the design process, and any constraints passed to the integrator which shall be implemented in support of the systematic capability claimed. (depending on the functionality of the element, it is conceivable that some requirements may only be met at the integration phase of a system. In such circumstances, these requirements shall be identified for further progression by the integrator. Requirements pertaining to response times and performance are two such examples). |
Installation instructions: Details of, or reference to, how to install the pre-existing element into the integrated system. |
The reason for release of the element: Details of whether the pre-existing element has been subject to release to clear outstanding anomalies, or inclusion of additional functionality. |
Outstanding anomalies: Details of all outstanding anomalies should be given, with explanation of the anomaly, how it occurs and the mechanisms that the integrator shall take to mitigate the anomaly should the particular functions be used. |
Backward compatibility: Details of whether the element is compatible with previous releases of the sub-system, and if not, details of the process providing the upgrade path to be followed. |
Compatibility with other systems: A pre-existing element may be dependent upon a specially developed operating system. In such circumstances, details of the version of the specially developed operating system should be detailed. The build standard should also be specified incorporating compiler identification and version, tools used in creation of the pre-existing element (identification and version), and test pre-existing element used (again identification and version). |
Element configuration: Details of the pre-existing element name(s) and description(s) should be given, including the version / issue / modification state. |
Change control: The mechanism by which the integrator can initiate a change request to the producer of the software. |
Requirements not met: It is conceivable that there may exist specific requirements that have been specified, but have not been met in the current revision of the element. In such circumstances, these requirements should be identified for the integrator to consider. |
Design safe state: In certain circumstances, upon controlled failure of the system application, the element may revert to a design safe state. In such circumstances, the precise definition of design safe state should be specified for consideration by the integrator. |
Interface constraints: Details of any specific constraints, in particular user interface requirements shall be identified. |
Details of any security measures that may have been implemented against listed threats and vulnerabilities. |
Configurable elements: details of the configuration method or methods available for the element, their use and any constraints on their use shall be provided. |
All claims in the safety manual for compliant items shall be justified by adequate supporting evidence. See 7.4.9.7 of IEC 61508-2. |
The supporting evidence that justifies the claims in the safety manual for compliant items is distinct from the element safety manual. |
Where the evidence cannot be made available to facilitate functional safety assessment, then the element is not suitable for use in E/E/PE safety-related systems. |
5. Motivations¶
Manual ref: The whole manual, especially: 2, 14 |
Manual ref: 1, 2, 3 |
Manual ref: 3 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: 4.1 |
Manual ref: all |
Manual ref: (N/A) |
Manual ref: all |
Manual ref: all |
Manual ref: all |
Manual ref: 13, 14 |
Manual ref: 13, 14 |
Manual ref: 13, 14 |
Manual ref: 1.4 |
Manual ref: 4.1, 9, 10 |
Manual ref: 13, 14 |
Manual ref: (N/A Change log for firmware and compiler shall be kept when more than one version of the software is released.) |
Manual ref: all |
Manual ref: (N/A No software backwards compatibility is required for any software element. All elements are released together.) |
Manual ref: (N/A No compatibility with other systems.) |
Manual ref: 14 |
Manual ref: 1.3 |
Manual ref: 14 |
Manual ref: 3 |
Manual ref: 2, 3, 11.9 |
Manual ref: 13.9 |
Manual ref: 14 |
Manual ref: (N/A Certificates supporting claims shall be available to the integrator.) |
Manual ref: (N/A) |
Manual ref: (N/A) |