61508-2ΒΆ
Not passed: 0
Passed: 85
N/A: 28
ID |
Title |
Status |
Derived |
|---|---|---|---|
EN-61508-2 clause 7.1.3.1: specify E/E/PE system safety lifecycle |
PASS |
||
EN-61508-2 clause 7.1.3.2: procedures shall run in parallel |
PASS |
||
EN-61508-2 clause 7.1.3.3: division of elementary activities of E/E/PE in each system safety lifecycle phase |
PASS |
||
EN-61508-2 clause 7.1.3.4: documentation of each E/E/PE sytem safety lifecycle phase |
PASS |
||
EN-61508-2 clause 7.1.3.5: each E/E/PE system safety lifecycle phase shall meet objectives and requirements |
PASS |
||
EN-61508-2 clause 7.2.2.1: Design requirements specification |
PASS |
||
EN-61508-2 clause 7.2.2.2: Design requirements specification |
PASS |
||
EN-61508-2 clause 7.2.3.1: design requirements |
PASS |
||
EN-61508-2 clause 7.2.3.2: design requirements details of hardware and software |
PASS |
||
EN-61508-2 clause 7.2.3.3: design requirements details relevant to design |
PASS |
||
EN-61508-2 clause 7.2.3.4: design requirements shall be detailed |
PASS |
||
EN-61508-2 clause 7.2.3.5: appropiate use of techniques and measures |
PASS |
||
EN-61508-2 clause 7.2.3.6: design requirements implications |
PASS |
||
EN-61508-2 clause 7.3.2.1: demonstration for planning |
PASS |
||
EN-61508-2 clause 7.3.2.2: considerations for E/E/PE safety-related system planning |
PASS |
||
EN-61508-2 clause 7.4.2.1: design shall take 7.2.3 requirements into account |
PASS |
||
EN-61508-2 clause 7.4.2.2: design shall meet requirements |
PASS |
||
EN-61508-2 clause 7.4.2.3: E/E/PE implementation of safety and non-safety functions |
PASS |
||
EN-61508-2 clause 7.4.2.4: configuring sufficent requirements |
PASS |
||
EN-61508-2 clause 7.4.2.5: documentation for independance between safety functions |
PASS |
||
EN-61508-2 clause 7.4.2.6: requirements shall be available |
PASS |
||
EN-61508-2 clause 7.4.2.7: developer shall review requirements |
PASS |
||
EN-61508-2 clause 7.4.2.8: Techniques and measures |
PASS |
||
EN-61508-2 clause 7.4.2.9: Justification for techniques and measures |
PASS |
||
EN-61508-2 clause 7.4.2.10: hardware and software interactions |
PASS |
||
EN-61508-2 clause 7.4.2.11: design subsystems |
PASS |
||
EN-61508-2 clause 7.4.2.12: failures analysis of the E/E/PE design |
PASS |
||
EN-61508-2 clause 7.4.2.13: de-rating consideration |
PASS |
||
EN-61508-2 clause 7.4.2.14: ASIC devlopment lifecycle |
N/A |
||
EN-61508-2 clause 7.4.3.1: partitioning into elements of different systematic capablities |
N/A |
||
EN-61508-2 clause 7.4.3.2: systematic capabilities for elements |
N/A |
||
EN-61508-2 clause 7.4.3.3: systematic capabilities for SC N elements |
N/A |
||
EN-61508-2 clause 7.4.3.4: sufficent independance of the design between elements |
N/A |
||
EN-61508-2 clause 7.4.4.1.1: tolerance requirements |
PASS |
||
EN-61508-2 clause 7.4.4.1.2: type A component requirements |
PASS |
||
EN-61508-2 clause 7.4.4.1.3: type B component requirements |
PASS |
||
EN-61508-2 clause 7.4.4.1.4: estimating safe failure fraction of elements |
PASS |
||
EN-61508-2 clause 7.4.4.1.5: estimating safe failure fraction of elements |
N/A |
||
EN-61508-2 clause 7.4.4.2.1: procedure to determine the maximum safety integration level |
PASS |
||
EN-61508-2 clause 7.4.4.2.2: application to subsystems |
N/A |
||
EN-61508-2 clause 7.4.4.2.3: maximum safety integrity leval |
PASS |
||
EN-61508-2 clause 7.4.4.2.4: hardware fault tolerance |
PASS |
||
EN-61508-2 clause 7.4.4.3.1: hardware hardware fault tolerance |
PASS |
||
EN-61508-2 clause 7.4.4.3.2: requirements for reliability data if Route 2H is selected |
N/A |
||
EN-61508-2 clause 7.4.4.3.3: requirements for reliability data if Route 2H is selected |
N/A |
||
EN-61508-2 clause 7.4.4.3.4: type B diagnostic coverage |
PASS |
||
EN-61508-2 clause 7.4.5.1: estimating random failures |
PASS |
||
EN-61508-2 clause 7.4.5.2: requirements for estimating failures |
PASS |
||
EN-61508-2 clause 7.4.5.3: hardware fault tolerance |
N/A |
||
EN-61508-2 clause 7.4.5.4: diagnostic test interval |
N/A |
||
EN-61508-2 clause 7.4.5.5: actions for when the safety integrity requirement is not achieved |
PASS |
||
EN-61508-2 clause 7.4.6.1: appropriate usage of techniques and measures |
PASS |
||
EN-61508-2 clause 7.4.6.2: SIL design method requirements |
PASS |
||
EN-61508-2 clause 7.4.6.3: maintenance requirements |
PASS |
||
EN-61508-2 clause 7.4.6.4: testing tools |
PASS |
||
EN-61508-2 clause 7.4.6.5: documentation of E/E/EPE system integration test planning |
PASS |
||
EN-61508-2 clause 7.4.6.6: seperating developers premises from the users |
N/A |
||
EN-61508-2 clause 7.4.6.7: preventing faults during the design and development of ASICs |
N/A |
||
EN-61508-2 clause 7.4.7.1: E/E/PE design feature tolerances |
PASS |
||
EN-61508-2 clause 7.4.7.2: consideration for maintainability and testability |
PASS |
||
EN-61508-2 clause 7.4.7.3: human capabilities and limitations in E/E/PE safety-related systems |
PASS |
||
EN-61508-2 clause 7.4.8.1: detection of dangerous faults in subsystems having a hardware fault tolerance more than 0 |
PASS |
||
EN-61508-2 clause 7.4.8.2: detection of dangeorus fault in subsystems having a hardware fault tolerance of 0 actions |
N/A |
||
EN-61508-2 clause 7.4.8.3: detection of a dangerous fault in subsystems having a hardware fault tolerance of 0 |
PASS |
||
EN-61508-2 clause 7.4.9.1: E/E/PE safety-related system implementation |
PASS |
||
EN-61508-2 clause 7.4.9.2: subsystems shall be identified and documented |
PASS |
||
EN-61508-2 clause 7.4.9.3: informational requirements for each subsystem and element |
PASS |
||
EN-61508-2 clause 7.4.9.4: informational requirements for each element that is liable to random hardware failure |
PASS |
||
EN-61508-2 clause 7.4.9.5: determining failure rates |
PASS |
||
EN-61508-2 clause 7.4.9.6: suppliers shall provide a safety manual |
PASS |
||
EN-61508-2 clause 7.4.9.7: supplier shall document a justification |
PASS |
||
EN-61508-2 clause 7.4.10.1: determining how to prove an element |
N/A |
||
EN-61508-2 clause 7.4.10.2: documentary evidence clearification |
N/A |
||
EN-61508-2 clause 7.4.10.3: impact analysis when there is differences between conditions |
N/A |
||
EN-61508-2 clause 7.4.10.4: documentation of a proven in use safety justifcation |
N/A |
||
EN-61508-2 clause 7.4.10.5: determining if requirements (7.4.10.1 to 7.4.10.4) have been met |
N/A |
||
EN-61508-2 clause 7.4.10.6: element functions that are not in use shall not affect the safety integrity of elements that are in use |
N/A |
||
EN-61508-2 clause 7.4.10.7: future modifcations shall comply |
PASS |
||
EN-61508-2 clause 7.4.11.1: failure measures for data communication |
PASS |
||
EN-61508-2 clause 7.4.11.2: techniques and measures for the communication process |
PASS |
||
EN-61508-2 clause 7.5.2.1: E/E/PE implementation and testing |
N/A |
||
EN-61508-2 clause 7.5.2.2: E/E/PE safety-related system shall be tested as specified |
N/A |
||
EN-61508-2 clause 7.5.2.3: integration according to 7.5 of IEC 61508-3 |
N/A |
||
EN-61508-2 clause 7.5.2.4: integration test documentation |
N/A |
||
EN-61508-2 clause 7.5.2.5: integration and testing modifications |
N/A |
||
EN-61508-2 clause 7.5.2.6: E/E/PE system integration testing informational requirements |
N/A |
||
EN-61508-2 clause 7.5.2.7: avoidance of faults during E/E/PE system integration |
N/A |
||
EN-61508-2 clause 7.6.2.1: E/E/PE system operation and maintenance procedures specifications |
PASS |
||
EN-61508-2 clause 7.6.2.2: E/E/PE safety-related system operation and maintenance procedures shall be continuously upgraded |
PASS |
||
EN-61508-2 clause 7.6.2.3: E/E/PE safety-related system operation and maintenance procedures shall be continuously upgraded |
PASS |
||
EN-61508-2 clause 7.6.2.4: E/E/PE system operations and maintenance procedures |
PASS |
||
EN-61508-2 clause 7.6.2.5: avoidance of faults and failures during E/E/PE system operation and maintenance procedures |
PASS |
||
EN-61508-2 clause 7.7.2.1: validation in accordance with a prepared plan (7.7 of IEC 61508-3) |
PASS |
||
EN-61508-2 clause 7.7.2.2: test measurement equipment used for validation shall be calibrated |
PASS |
||
EN-61508-2 clause 7.7.2.3: all E/E/PE system safety requirements shall be validated by test/analysis |
PASS |
||
EN-61508-2 clause 7.7.2.4: test measurement equipment calibration during validation |
PASS |
||
EN-61508-2 clause 7.7.2.5: documentation during discrepancies |
PASS |
||
EN-61508-2 clause 7.7.2.6: results shall be available for validation testing |
N/A |
||
EN-61508-2 clause 7.7.2.7: avoidance of faults during validation |
PASS |
||
EN-61508-2 clause 7.8.2.1: documentation for each E/E/PE system modification activity |
PASS |
||
EN-61508-2 clause 7.8.2.2: compliance for manufacturers or system suppliers |
PASS |
||
EN-61508-2 clause 7.8.2.3: modification requirements |
PASS |
||
EN-61508-2 clause 7.8.2.4: reverification/revalidation after modification |
PASS |
||
EN-61508-2 clause 7.9.2.1: planning verifications concurrently |
PASS |
||
EN-61508-2 clause 7.9.2.2: verification references |
PASS |
||
EN-61508-2 clause 7.9.2.3: verification planning specification |
PASS |
||
EN-61508-2 clause 7.9.2.4: verification planning considerations |
PASS |
||
EN-61508-2 clause 7.9.2.5: design and development phase requirements |
PASS |
||
EN-61508-2 clause 7.9.2.6: documentation of each verification activity |
PASS |
||
EN-61508-2 clause 7.9.2.7: design verification requirements |
PASS |
||
EN-61508-2 clause 7.9.2.8: design and development verifications |
PASS |
||
EN-61508-2 clause 7.9.2.9: integration of E/E/PE safety-related system |
PASS |
||
EN-61508-2 clause 7.9.2.10: test case documentation |
PASS |
The E/E/PE system safety lifecycle that shall be used in claiming conformance with this standard is that specified in Figure 2. A detailed V-model of the ASIC development lifecycle for the design of ASICs (see IEC 61508-4, 3.2.15) is shown in Figure 3. If another E/E/PE system safety lifecycle or ASIC development lifecycle is used, it shall be specified as part of the management of functional safety activities (see Clause 6 of IEC 61508-1), and all the objectives and requirements of each subclause of IEC 61508-2 shall be met. |
The procedures for management of functional safety (see Clause 6 of IEC 61508-1) shall run in parallel with the E/E/PE system safety lifecycle phases. |
Requirement: EN-61508-2 clause 7.1.3.3: division of elementary activities of E/E/PE in each system safety lifecycle phase EN_61508_2_7_1_3_3
|
Each phase of the E/E/PE system safety lifecycle shall be divided into elementary activities, with the scope, inputs and outputs specified for each phase (see Table 1). |
Requirement: EN-61508-2 clause 7.1.3.4: documentation of each E/E/PE sytem safety lifecycle phase EN_61508_2_7_1_3_4
|
Unless justified as part of the management of functional safety activities (see Clause 6 of IEC 61508-1), the outputs of each phase of the E/E/PE system safety lifecycle shall be documented (see Clause 5 of IEC 61508-1). |
Requirement: EN-61508-2 clause 7.1.3.5: each E/E/PE system safety lifecycle phase shall meet objectives and requirements EN_61508_2_7_1_3_5
|
The outputs for each E/E/PE system safety lifecycle phase shall meet the objectives and requirements specified for each phase (see 7.2 to 7.9). |
The specification of the E/E/PE system design requirements shall be derived from the E/E/PE system safety requirements, specified in 7.10 of IEC 61508-1. |
The specification of the E/E/PE system design requirements shall be expressed and structured in such a way that they are: a) clear, precise, unambiguous, verifiable, testable, maintainable and feasible; b) written to aid comprehension by those who are likely to utilise the information at any phase of the E/E/PE safety lifecycle; and c) traceable to the E/E/PE system safety requirements specification. |
The specification of the E/E/PE system design requirements shall contain design requirements relating to safety functions (see 7.2.3.2) and design requirements relating to safety integrity (see 7.2.3.3). |
Requirement: EN-61508-2 clause 7.2.3.2: design requirements details of hardware and software EN_61508_2_7_2_3_2
|
The specification of the E/E/PE system design requirements shall contain details of all the hardware and software necessary to implement the required safety functions, as specified by the E/E/PE system safety functions requirements specification (see 7.10.2.6 of IEC 61508-1). The specification shall include, for each safety function: a) requirements for the subsystems and requirements for their hardware and software elements as appropriate; b) requirements for the integration of the subsystems and their hardware and software elements to meet the E/E/PE system safety functions requirements specification; c) throughput performance that enables response time requirements to be met; d) accuracy and stability requirements for measurements and controls; e) E/E/PE safety-related system and operator interfaces; f) interfaces between the E/E/PE safety-related systems and any other systems (either within, or outside, the EUC); g) all modes of behaviour of the E/E/PE safety-related systems, in particular, failure behaviour and the required response (for example alarms, automatic shut-down) of the E/E/PE safety-related systems; h) the significance of all hardware/software interactions and, where relevant, any required constraints between the hardware and the software; i) any limiting and constraint conditions for the E/E/PE safety-related systems and their associated elements, for example timing constraints or constraints due to the possibility of common cause failures; j) any specific requirements related to the procedures for starting-up and restarting the E/E/PE safety-related systems. |
Requirement: EN-61508-2 clause 7.2.3.3: design requirements details relevant to design EN_61508_2_7_2_3_3
|
The specification of the E/E/PE system design requirements shall contain details, relevant to the design, to achieve the safety integrity level and the required target failure measure for the safety function, as specified by the E/E/PE system safety integrity requirements specification (see 7.10.2.7 of IEC 61508-1), including: a) the architecture of each subsystem required to meet the architectural constraints on the hardware safety integrity (see 7.4.4); b) all relevant reliability modelling parameters such as the required proof testing frequency of all hardware elements necessary to achieve the target failure measure; c) the actions taken in the event of a dangerous failure being detected by diagnostics; d) the requirements, constraints, functions and facilities to enable the proof testing of the E/E/PE hardware to be undertaken; e) the capabilities of equipment used to meet the extremes of all environmental conditions (e.g. temperature, humidity, mechanical, electrical) that are specified as required during the E/E/PE system safety lifecycle including manufacture, storage, transport, testing, installation, commissioning, operation and maintenance; f) the electromagnetic immunity levels that are required (see IEC/TS 61000-1-2: 2008); g) the quality assurance/quality control measures necessary to safety management (see 6.2.5 of IEC 61508-1); |
The E/E/PE system design requirements specification shall be completed in detail as the design progresses and updated as necessary after modification. |
Requirement: EN-61508-2 clause 7.2.3.5: appropiate use of techniques and measures EN_61508_2_7_2_3_5
|
For the avoidance of mistakes during the development of the specification for the E/E/PE system design requirements, an appropriate group of techniques and measures according to Table B.1 shall be used. |
The implications imposed on the architecture by the E/E/PE system design requirements shall be considered. |
Planning shall be carried out to specify the steps (both procedural and technical) that are to be used to demonstrate that the E/E/PE safety-related system satisfies the E/E/PE system safety requirements specification (see 7.10 of IEC 61508-1) and the E/E/PE system design requirements specification (see 7.2). |
Requirement: EN-61508-2 clause 7.3.2.2: considerations for E/E/PE safety-related system planning EN_61508_2_7_3_2_2
|
Planning for the validation of the E/E/PE safety-related system shall consider the following: a) all of the requirements defined in the E/E/PE system safety requirements specification and the E/E/PE system design requirements specification; b) the procedures to be applied to validate that each safety function is correctly implemented, and the pass/fail criteria for accomplishing the tests; c) the procedures to be applied to validate that each safety function is of the required safety integrity, and the pass/fail criteria for accomplishing the tests; d) the required environment in which the testing is to take place including all necessary tools and equipment (also plan which tools and equipment should be calibrated); e) test evaluation procedures (with justifications); f) the test procedures and performance criteria to be applied to validate the specified electromagnetic immunity limits; |
Requirement: EN-61508-2 clause 7.4.2.1: design shall take 7.2.3 requirements into account EN_61508_2_7_4_2_1
|
The design of the E/E/PE safety-related system shall be created in accordance with the E/E/PE system design requirements specification (see 7.2.3), taking into account all the requirements of 7.2.3. |
The design of the E/E/PE safety-related system (including the overall hardware and software architecture, sensors, actuators, programmable electronics, ASICs, embedded software, application software, data etc.), shall meet all of the requirements a) to e) as follows: a) the requirements for hardware safety integrity comprising;
b) the special architecture requirements for ICs with on-chip redundancy (see Annex E), where relevant, unless justification can be given that the same level of independence between different channels is achieved by applying a different set of measures; c) the requirements for systematic safety integrity (systematic capability), which can be met by achieving one of the following compliance routes:
d) the requirements for system behaviour on detection of a fault (see 7.4.8); e) the requirements for data communication processes (see 7.4.11). |
Requirement: EN-61508-2 clause 7.4.2.3: E/E/PE implementation of safety and non-safety functions EN_61508_2_7_4_2_3
|
Where an E/E/PE safety-related system is to implement both safety and non-safety functions, then all the hardware and software shall be treated as safety-related unless it can be shown that the implementation of the safety and non-safety functions is sufficiently independent (i.e. that the failure of any non-safety-related functions does not cause a dangerous failure of the safety-related functions). |
The requirements for hardware and software shall be determined by the safety integrity level of the safety function having the highest safety integrity level unless it can be shown that the implementation of the safety functions of the different safety integrity levels is sufficiently independent. |
Requirement: EN-61508-2 clause 7.4.2.5: documentation for independance between safety functions EN_61508_2_7_4_2_5
|
When independence between safety functions is required (see 7.4.2.3 and 7.4.2.4) then the following shall be documented during the design: a) the method of achieving independence; b) the justification of the method. |
The requirements for safety-related software (see IEC 61508-3) shall be made available to the developer of the E/E/PE safety-related system. |
The developer of the E/E/PE safety-related system shall review the requirements for safety-related software and hardware to ensure that they are adequately specified. In particular, the E/E/PE system developer shall consider the following: a) safety functions; b) E/E/PE safety-related system safety integrity requirements; c) equipment and operator interfaces. |
The E/E/PE safety-related system design documentation shall specify those techniques and measures necessary during the E/E/PE system safety lifecycle phases to achieve the safety integrity level. |
Requirement: EN-61508-2 clause 7.4.2.9: Justification for techniques and measures EN_61508_2_7_4_2_9
|
The E/E/PE safety-related system design documentation shall justify the techniques and measures chosen to form an integrated set that satisfies the required safety integrity level. |
During the design and development activities, the significance (where relevant) of all hardware and software interactions shall be identified, evaluated and documented. |
The design shall be based on a decomposition into subsystems with each subsystem having a specified design and set of integration tests (see 7.5.2). |
When the initial design of the E/E/PE safety-related system has been completed, an analysis shall be undertaken to determine whether any reasonably foreseeable failure of the E/E/PE safety-related system could cause a hazardous situation or place a demand on any other risk control measure. If any reasonably foreseeable failure could have either of these effects, then the first priority shall be to change the design of the E/E/PE safety-related system to avoid such failure modes. If this cannot be done, then measures shall be taken to reduce the likelihood of such failure modes to a level commensurate with the target failure measure. These measures shall be subject to the requirements of this standard. |
De-rating (see IEC 61508-7) should be considered for all hardware components. Justification for operating any hardware elements at their limits shall be documented (see IEC 61508-1, Clause 5). |
Where the design of an E/E/PE safety-related system includes one or more ASICs to implement a safety function, an ASIC development lifecycle (see 7.1.3.1) shall be used. |
Requirement: EN-61508-2 clause 7.4.3.1: partitioning into elements of different systematic capablities EN_61508_2_7_4_3_1
|
To meet the requirements for systematic safety integrity, the designated safety- related E/E/PE system may, in the circumstances described in this section, be partitioned into elements of different systematic capability. |
For an element of systematic capability SC N (N=1, 2, 3), where a systematic fault of that element does not cause a failure of the specified safety function but does so only in combination with a second systematic fault of another element of systematic capability SC N, the systematic capability of the combination of the two elements can be treated as having a systematic capability of SC (N + 1) providing that sufficient independence exists between the two elements ( see 7.4.3.4). |
Requirement: EN-61508-2 clause 7.4.3.3: systematic capabilities for SC N elements EN_61508_2_7_4_3_3
|
The systematic capability that can be claimed for a combination of elements each of systematic capability SC N can at most be SC (N+1). A SC N element may be used in this way only once. It is not permitted to achieve SC (N+2) and higher by successively building assemblies of SC N elements. |
Requirement: EN-61508-2 clause 7.4.3.4: sufficent independance of the design between elements EN_61508_2_7_4_3_4
|
Sufficient independence, in the design between elements and in the application of elements, shall be justified by common cause failure analysis to show that the likelihood of interference between elements and between the elements and the environment is sufficiently low in comparison with the safety integrity level of the safety function under consideration. |
With respect to the hardware fault tolerance requirements a) a hardware fault tolerance of N means that N+1 is the minimum number of faults that could cause a loss of the safety function (for further clarification see Note 1 and Table 2 and Table 3). In determining the hardware fault tolerance no account shall be taken of other measures that may control the effects of faults such as diagnostics; and b) where one fault directly leads to the occurrence of one or more subsequent faults, these are considered as a single fault; c) when determining the hardware fault tolerance achieved, certain faults may be excluded, provided that the likelihood of them occurring is very low in relation to the safety integrity requirements of the subsystem. Any such fault exclusions shall be justified and documented (see Note 2). |
An element can be regarded as type A if, for the components required to achieve the safety function a) the failure modes of all constituent components are well defined; and b) the behaviour of the element under fault conditions can be completely determined; and c) there is sufficient dependable failure data to show that the claimed rates of failure for detected and undetected dangerous failures are met (see 7.4.9.3 to 7.4.9.5). |
An element shall be regarded as type B if, for the components required to achieve the safety function, a) the failure mode of at least one constituent component is not well defined; or b) the behaviour of the element under fault conditions cannot be completely determined; or c) there is insufficient dependable failure data to support claims for rates of failure for detected and undetected dangerous failures (see 7.4.9.3 to 7.4.9.5). |
Requirement: EN-61508-2 clause 7.4.4.1.4: estimating safe failure fraction of elements EN_61508_2_7_4_4_1_4
|
When estimating the safe failure fraction of an element, intended to be used in a subsystem having a hardware fault tolerance of 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation, credit shall only be taken for the diagnostics if:
|
Requirement: EN-61508-2 clause 7.4.4.1.5: estimating safe failure fraction of elements EN_61508_2_7_4_4_1_5
|
When estimating the safe failure fraction of an element which,
credit shall only be taken for the diagnostics if the sum of the diagnostic test interval and the time to perform the repair of a detected failure is less than the MTTR used in the calculation to determine the achieved safety integrity for that safety function. |
Requirement: EN-61508-2 clause 7.4.4.2.1: procedure to determine the maximum safety integration level EN_61508_2_7_4_4_2_1
|
To determine the maximum safety integrity level that can be claimed, with respect to a specified safety function, the following procedure shall be followed: 1) Define the subsystems making up the E/E/PE safety-related system. 2) For each subsystem determine the safe failure fraction for all elements in the subsystem separately (i.e. on an individual element basis with each element having a hardware fault tolerance of 0). In the case of redundant element configurations, the SFF may be calculated by taking into consideration the additional diagnostics that may be available (e.g. by comparison of redundant elements). 3) For each element, use the achieved safe failure fraction and hardware fault tolerance of 0 to determine the maximum safety integrity level that can be claimed from column 2 of Table 2 (for Type A elements) and column 2 of Table 3 (for Type B elements). 4) Use the method in 7.4.4.2.3 and 7.4.4.2.4 for determining the maximum safety integrity level that can be claimed for the subsystem. 5) The maximum safety integrity level that can be claimed for an E/E/PE safety-related system shall be determined by the subsystem that has achieved the lowest safety integrity level. |
For application to subsystems comprising elements that meet the specific requirements detailed below, as an alternative to applying the requirements of 7.4.4.2.1 2) to 7.4.4.2.1 4), the following is applicable: 1) the subsystem is comprised of more than one element; and 2) the elements are of the same type; and 3) all the elements have achieved safe failure fractions that are in the same range (see Note 1 below) specified in Tables 2 or 3;then the following procedure may be followed,
|
In an E/E/PE safety-related subsystem where a number of element safety functions are implemented through a serial combination of elements (such as in Figure 5), the maximum safety integrity level that can be claimed for the safety function under consideration shall be determined by the element that has achieved the lowest safety integrity level for the achieved safe failure fraction for a hardware fault tolerance of 0. To illustrate the method, assume an architecture as indicated in Figure 5 and see example below. |
In an E/E/PE safety-related subsystem where an element safety function is implemented through a number of channels (combination of parallel elements) having a hardware fault tolerance of N, the maximum safety integrity level that can be claimed for the safety function under consideration shall be determined by: a) grouping the serial combination of elements for each channel and then determining the maximum safety integrity level that can be claimed for the safety function under consideration for each channel (see 7.4.4.2.3); and b) selecting the channel with the highest safety integrity level that has been achieved for the safety function under consideration and then adding N safety integrity levels to determine the maximum safety integrity level for the overall combination of the subsystem. To illustrate the method, assume architecture as indicated in Figure 6 and see example below. |
The minimum hardware fault tolerance for each subsystem of an E/E/PE safety-related system implementing a safety function of a specified safety integrity level shall be as follows: a) a hardware fault tolerance of 2 for a specified safety function of SIL 4 unless the conditions in 7.4.4.3.2 apply. b) a hardware fault tolerance of 1 for a specified safety function of SIL 3 unless the conditions in 7.4.4.3.2 apply. c) a hardware fault tolerance of 1 for a specified safety function of SIL 2, operating in a high demand or continuous mode of operation, unless the conditions in 7.4.4.3.2 apply. d) a hardware fault tolerance of 0 for a specified safety function of SIL 2 operating in a low demand mode of operation. e) a hardware fault tolerance of 0 for a specified safety function of SIL 1. |
Requirement: EN-61508-2 clause 7.4.4.3.2: requirements for reliability data if Route 2H is selected EN_61508_2_7_4_4_3_2
|
For type A elements only, if it is determined that by following the HFT requirements specified in 7.4.4.3.1, for the situation where an HFT greater than 0 is required, it would introduce additional failures and lead to a decrease in the overall safety of the EUC, then a safer alternative architecture with reduced HFT may be implemented. In such a case this shall be justified and documented. The justification shall provide evidence that: a) compliance with the HFT requirements specified in 7.4.4.3.1 would introduce additional failures and lead to a decrease in the overall safety of the EUC; and b) if the HFT is reduced to zero, the failure modes, identified in the element performing the safety function, can be excluded because the dangerous failure rate(s) of the identified failure mode(s) are very low compared to the target failure measure for the safety function under consideration (see 7.4.4.1.1 c)). That is, the sum of the dangerous failure frequencies of all serial elements, on which fault exclusion is being claimed, should not exceed 1 % of the target failure measure. Furthermore the applicability of fault exclusions shall be justified considering the potential for systematic faults |
Requirement: EN-61508-2 clause 7.4.4.3.3: requirements for reliability data if Route 2H is selected EN_61508_2_7_4_4_3_3
|
If Route 2H is selected, then the reliability data used when quantifying the effect of random hardware failures (see 7.4.5) shall be: a) based on field feedback for elements in use in a similar application and environment; and, b) based on data collected in accordance with international standards (e.g., IEC 60300-3-2 or ISO 14224:); and,
in order to estimate the average and the uncertainty level (e.g., the 90 % confidence interval or the probability distribution (see Note 2)) of each reliability parameter (e.g., failure rate) used in the calculations. If route 2H is selected, then the reliability data uncertainties shall be taken into account when calculating the target failure measure (i.e. PFDavg or PFH) and the system shall be improved until there is a confidence greater than 90 % that the target failure measure is achieved. |
All type B elements used in Route 2H shall have, as a minimum, a diagnostic coverage of not less than 60 %. |
For each safety function, the achieved safety integrity of the E/E/PE safety-related system due to random hardware failures (including soft-errors) and random failures of data communication processes shall be estimated in accordance with 7.4.5.2 and 7.4.11, and shall be equal to or less than the target failure measure as specified in the E/E/PE system safety requirements specification (see IEC 61508-1, 7.10). |
The estimate of the achieved failure measure for each safety function, as required by 7.4.5.1, shall take into account: a) the architecture of the E/E/PE safety-related system, in terms of its subsystems, as it relates to each safety function under consideration; b) the architecture of each subsystem of the E/E/PE safety-related system, in terms of its elements, as it relates to each safety function under consideration; c) the estimated failure rate of each subsystem and its elements in any modes that would cause a dangerous failure of the E/E/PE safety-related system but are detected by diagnostic tests (see 7.4.9.4 to 7.4.9.5). Justification for the failure rates should be given considering the source of the data and its accuracy or tolerance. This may include consideration and the comparison of data from a number of sources and the selection of failure rates from systems most closely resembling that under consideration. Failure rates used for quantifying the effect of random hardware failures and calculating safe failure fraction or diagnostic coverage shall take into account the specified operating conditions. d) the susceptibility of the E/E/PE safety-related system and its subsystems to common cause failures (see Notes 3 and 4). There shall be a justification of the assumptions made; e) the diagnostic coverage of the diagnostic tests (determined according to Annex C), the associated diagnostic test interval and the rate of dangerous unrevealed failure of the diagnostics due to random hardware failures of each subsystem. Where relevant, only those diagnostic tests that meet the requirements of 7.4.5.3 shall be considered. The MTTR and MRT (see 3.6.21 and 3.6.22 of IEC 61508-4), shall be considered in the reliability model. f) the intervals at which proof tests are undertaken to reveal dangerous faults; g) whether the proof test is likely to be 100 % effective; h) the repair times for detected failures; i) the effect of random human error if a person is required to take action to achieve the safety function. j) the fact that a number of modelling methods are available and that the most appropriate method is a matter for the analyst and will depend on the circumstances. Available methods include cause consequence analysis (B.6.6.2 of IEC 61508-7;), fault tree analysis (B.6.6.5 of IEC 61508-7;), Markov models (Annex B of IEC 61508-6 and B.6.6.6 of IEC 61508-7), reliability block diagrams (Annex B of IEC 61508-6 and B.6.6.7 of IEC 61508-7;) and Petri nets (Annex B of IEC 61508-6 and B.2.3.3 of IEC 61508-7). |
When quantifying the effect of random hardware failures of a subsystem, having a hardware fault tolerance of 0, and which is implementing a safety function, or part of a safety function, operating in high demand mode or continuous mode of operation, credit shall only be taken for the diagnostics if:
|
The diagnostic test interval of any subsystem:
shall be such that the sum of the diagnostic test interval and the time to perform the repair of a detected failure is less than the MTTR used in the calculation to determine the achieved safety integrity for that safety function. |
Requirement: EN-61508-2 clause 7.4.5.5: actions for when the safety integrity requirement is not achieved EN_61508_2_7_4_5_5
|
If, for a particular design, the safety integrity requirement for the relevant safety function is not achieved then: a) determine the elements, subsystems and/or parameters contributing most to the functionβs calculated failure rate; b) evaluate the effect of possible improvement measures on the identified critical elements, subsystems or parameters (for example, more reliable components, additional defences against common mode failures, increased diagnostic coverage, increased redundancy, reduced proof test interval, staggering tests, etc); c) select and implement the applicable improvements; d) repeat the necessary steps to establish the new probability of a random hardware failure. |
Requirement: EN-61508-2 clause 7.4.6.1: appropriate usage of techniques and measures EN_61508_2_7_4_6_1
|
An appropriate group of techniques and measures shall be used that are designed to prevent the introduction of faults during the design and development of the hardware and software of the E/E/PE safety-related system (see Table B.2 and IEC 61508-3). |
In accordance with the required safety integrity level the design method chosen shall possess features that facilitate a) transparency, modularity and other features that control complexity; b) clear and precise expression of
c) clear and precise documentation and communication of information; d) verification and validation. |
Maintenance requirements, to ensure that the safety integrity requirements of the E/E/PE safety-related systems continue to be met, shall be formalised at the design stage. |
Where applicable, automatic testing tools and integrated development tools shall be used. |
Requirement: EN-61508-2 clause 7.4.6.5: documentation of E/E/EPE system integration test planning EN_61508_2_7_4_6_5
|
During the design, E/E/PE system integration tests shall be planned. Documentation of the test planning shall include a) the types of tests to be performed and procedures to be followed; b) the test environment, tools, configuration and programs; c) the pass/fail criteria. |
Requirement: EN-61508-2 clause 7.4.6.6: seperating developers premises from the users EN_61508_2_7_4_6_6
|
During the design, those activities that can be carried out on the developerβs premises shall be distinguished from those that require access to the userβs site. |
Requirement: EN-61508-2 clause 7.4.6.7: preventing faults during the design and development of ASICs EN_61508_2_7_4_6_7
|
An appropriate group of techniques and measures shall be used that are essential to prevent the introduction of faults during the design and development of ASICs. |
For controlling systematic faults, the E/E/PE system design shall possess design features that make the E/E/PE safety-related systems tolerant against: a) any residual design faults in the hardware, unless the possibility of hardware design faults can be excluded (see Table A.15); b) environmental stresses, including electromagnetic disturbances (see Table A.16); c) mistakes made by the operator of the EUC (see Table A.17); d) any residual design faults in the software (see 7.4.3 of IEC 61508-3 and associated table); e) errors and other effects arising from any data communication process (see 7.4.11). |
Requirement: EN-61508-2 clause 7.4.7.2: consideration for maintainability and testability EN_61508_2_7_4_7_2
|
Maintainability and testability shall be considered during the design and development activities in order to facilitate implementation of these properties in the final E/E/PE safety-related systems. |
Requirement: EN-61508-2 clause 7.4.7.3: human capabilities and limitations in E/E/PE safety-related systems EN_61508_2_7_4_7_3
|
The design of the E/E/PE safety-related systems shall take into account human capabilities and limitations and be suitable for the actions assigned to operators and maintenance staff. Such design requirements shall follow good human-factor practice and shall accommodate the likely level of training or awareness of operators, for example in mass- produced E/E/PE safety-related systems where the operator is a member of the public. |
Requirement: EN-61508-2 clause 7.4.8.1: detection of dangerous faults in subsystems having a hardware fault tolerance more than 0 EN_61508_2_7_4_8_1
|
The detection of a dangerous fault (by diagnostic tests, proof tests or by any other means) in any subsystem that has a hardware fault tolerance of more than 0 shall result in either: a) a specified action to achieve or maintain a safe state (see Note); or b) the isolation of the faulty part of the subsystem to allow continued safe operation of the EUC whilst the faulty part is repaired. If the repair is not completed within the mean repair time (MRT), see 3.6.22 of IEC 61508-4, assumed in the calculation of the probability of random hardware failure (see 7.4.5.2), then a specified action shall take place to achieve or maintain a safe state (see Note). |
Requirement: EN-61508-2 clause 7.4.8.2: detection of dangeorus fault in subsystems having a hardware fault tolerance of 0 actions EN_61508_2_7_4_8_2
|
The detection of a dangerous fault (by diagnostic tests, proof tests or by any other means) in any subsystem having a hardware fault tolerance of 0 shall, in the case that the subsystem is used only by safety function(s) operating in the low demand mode, result in either: a) a specified action to achieve or maintain a safe state; or b) the repair of the faulty subsystem within the mean repair time (MRT), see 3.6.22 of IEC 61508-4,assumed in the calculation of the probability of random hardware failure (see 7.4.5.2). During this time the continuing safety of the EUC shall be ensured by additional measures and constraints. The safety integrity provided by these measures and constraints shall be at least equal to the safety integrity provided by the E/E/PE safety- related system in the absence of any faults. The additional measures and constraints shall be specified in the E/E/PE system operation and maintenance procedures (see 7.6). |
Requirement: EN-61508-2 clause 7.4.8.3: detection of a dangerous fault in subsystems having a hardware fault tolerance of 0 EN_61508_2_7_4_8_3
|
The detection of a dangerous fault (by diagnostic tests, proof tests or by any other means) in any subsystem having a hardware fault tolerance of 0 shall, in the case of a subsystem that is implementing any safety function(s) operating in the high demand or the continuous mode, result in a specified action to achieve or maintain a safe state (see Note). |
Requirement: EN-61508-2 clause 7.4.9.1: E/E/PE safety-related system implementation EN_61508_2_7_4_9_1
|
The E/E/PE safety-related system shall be implemented according to the E/E/PE system design requirements specification (7.2.3). |
Requirement: EN-61508-2 clause 7.4.9.2: subsystems shall be identified and documented EN_61508_2_7_4_9_2
|
All subsystems and their elements that are used by one or more safety functions shall be identified and documented as safety-related subsystems and elements. |
Requirement: EN-61508-2 clause 7.4.9.3: informational requirements for each subsystem and element EN_61508_2_7_4_9_3
|
The following information shall be available for each safety-related subsystem and each element as appropriate (see also 7.4.9.4): a) a functional specification of the subsystem and its elements as appropriate; b) any instructions or constraints relating to the application of the subsystem and its elements, that should be observed in order to prevent systematic failures of the subsystem; c) the systematic capability of each element (see 7.4.2.2 c)); d) identification of the hardware and/or software configuration of the element to enable configuration management of the E/E/PE safety-related system in accordance with 6.2.1 of IEC 61508-1; e) documentary evidence that the subsystem and its elements have been verified as meeting their specified functional requirements and systematic capabilities in accordance with the E/E/PE design requirements specification (see 7.2.3). |
Requirement: EN-61508-2 clause 7.4.9.4: informational requirements for each element that is liable to random hardware failure EN_61508_2_7_4_9_4
|
The following information shall be available for each safety-related element that is liable to random hardware failure (see also 7.4.9.3 and 7.4.9.5): a) the failure modes of the element (in terms of the behaviour of its outputs), due to random hardware failures, that result in a failure of the safety function and that are not detected by diagnostic tests internal to the element or are not detectable by diagnostics external to the element (see 7.4.9.5); b) for every failure mode in a), an estimated failure rate with respect to specified operating conditions; c) the failure modes of the element (in terms of the behaviour of its outputs), due to random hardware failures, that result in a failure of the safety function and that are detected by diagnostic tests internal to the element or are detectable by diagnostics external to the element (see 7.4.9.5); d) for every failure mode in c), an estimated failure rate with respect to specified operating conditions; e) any limits on the environment of the element that should be observed in order to maintain the validity of the estimated rates of failure due to random hardware failures; f) any limit on the lifetime of the element that should not be exceeded in order to maintain the validity of the estimated rates of failure due to random hardware failures; g) any periodic proof test and/or maintenance requirements; h) for every failure mode in c) that is detected by diagnostics internal to the element, the diagnostic coverage derived according to Annex C (see Note 2); i) for every failure mode in c) that is detected by diagnostics internal to the element, the diagnostic test interval (see Note 2); j) the failure rate of the diagnostics, due to random hardware failures; k) any additional information (for example repair times) that is necessary to allow the derivation of the mean repair time (MRT), see 3.6.22 of IEC 61508-4,following detection of a fault by the diagnostics; l) all information that is necessary to enable the derivation of the safe failure fraction (SFF) of the element as applied in the E/E/PE safety-related system, determined according to Annex C, including the classification as type A or type B according to 7.4.4; m) the hardware fault tolerance of the element. |
The estimated failure rates, due to random hardware failures, for elements (see 7.4.9.4 a) and c)) can be determined either a) by a failure modes and effects analysis of the design using element failure data from a recognised industry source; or b) from experience of the previous use of the element in a similar environment (see 7.4.10). |
Suppliers shall provide a safety manual for compliant items, in accordance with Annex D, for each compliant item that they supply and for which they claim compliance with IEC 61508 series. |
The supplier shall document a justification for all the information that is provided in each safety manual for compliant items. |
An element shall only be regarded as proven in use when it has a clearly restricted and specified functionality and when there is adequate documentary evidence to demonstrate that the likelihood of any dangerous systematic faults is low enough that the required safety integrity levels of the safety functions that use the element is achieved. Evidence shall be based on analysis of operational experience of a specific configuration of the element together with suitability analysis and testing. |
The documentary evidence required by 7.4.10.1 shall demonstrate that: a) the previous conditions of use (see Note 1) of the specific element are the same as, or sufficiently close to, those that will be experienced by the element in the E/E/PE safety-related system; b) the dangerous failure rate has not been exceeded in previous use. |
Requirement: EN-61508-2 clause 7.4.10.3: impact analysis when there is differences between conditions EN_61508_2_7_4_10_3
|
When there is any difference between the previous conditions of use and those that will be experienced in the E/E/PE safety-related system, then an impact analysis on the differences shall be carried out using a combination of appropriate analytical methods and testing, in order to demonstrate that the likelihood of any dangerous systematic faults is low enough that the required safety integrity level(s) of the safety function(s) that use the element is achieved. |
Requirement: EN-61508-2 clause 7.4.10.4: documentation of a proven in use safety justifcation EN_61508_2_7_4_10_4
|
A proven in use safety justification shall be documented, using the information available from 7.4.10.2, that the element supports the required safety function with the required systematic safety integrity. This shall include: a) the suitability analysis and testing of the element for the intended application; b) the demonstration of equivalence between the intended operation and the previous operation experience, including the impact analysis on the differences; c) the statistical evidence. |
Requirement: EN-61508-2 clause 7.4.10.5: determining if requirements (7.4.10.1 to 7.4.10.4) have been met EN_61508_2_7_4_10_5
|
The following factors shall be taken into account when determining whether or not the above requirements (7.4.10.1 to 7.4.10.4) have been met, in terms of both the coverage and degree of detail of the available information (see also 4.1 of IEC 61508-1): a) the complexity of the element; b) the systematic capability required for the element; c) the novelty of design. |
Requirement: EN-61508-2 clause 7.4.10.6: element functions that are not in use shall not affect the safety integrity of elements that are in use EN_61508_2_7_4_10_6
|
There shall be satisfactory evidence that, the existing elementβs functions that are not covered by the proven in use demonstration, cannot adversely affect the safety integrity of the element functions that are used. |
Any future modification of a proven in use element shall comply with the requirements of 7.8, and IEC 61508-3. |
Requirement: EN-61508-2 clause 7.4.11.1: failure measures for data communication EN_61508_2_7_4_11_1
|
When data communication is used in the implementation of a safety function then the failure measure (such as the residual error rate) of the communication process shall be estimated taking into account transmission errors, repetitions, deletion, insertion, re- sequencing, corruption, delay and masquerade. This failure measure shall be taken into account when estimating the failure measure of the safety function due to random failures (see 7.4.5). |
Requirement: EN-61508-2 clause 7.4.11.2: techniques and measures for the communication process EN_61508_2_7_4_11_2
|
The techniques and measures necessary to ensure the required failure measure (such as the residual error rate) of the communication process (see 7.4.11.1) shall be implemented according to the requirements of this standard and IEC 61508-3. This allows two possible approaches: - the entire communication channel shall be designed, implemented and validated according to the IEC 61508 series and IEC 61784-3 or IEC 62280 series. This a so-called βwhite channelβ (see Figure 7 a); or - parts of the communication channel are not designed or validated according to the IEC 61508 series. This is a so-called βblack channelβ (see Figure 7 b). In this case, the measures necessary to ensure the failure performance of the communication process shall be implemented in the E/E/PE safety-related subsystems or elements that interface with the communication channel in accordance with the IEC 61784-3 or IEC 62280 series as appropriate. |
The E/E/PE safety-related system shall be integrated according to the specified E/E/PE system design and shall be tested according to the specified E/E/PE system integration tests (see 7.4.2.11). |
Requirement: EN-61508-2 clause 7.5.2.2: E/E/PE safety-related system shall be tested as specified EN_61508_2_7_5_2_2
|
As part of the integration of all modules into the E/E/PE safety-related system, the E/E/PE safety-related system shall be tested as specified (see 7.4). These tests shall show that all modules interact correctly to perform their intended function and are designed not to perform unintended functions. |
Requirement: EN-61508-2 clause 7.5.2.3: integration according to 7.5 of IEC 61508-3 EN_61508_2_7_5_2_3
|
The integration of safety-related software into the E/E/PE safety-related system shall be carried out according to 7.5 of IEC 61508-3. |
Appropriate documentation of the integration testing of the E/E/PE safety-related system shall be produced, stating the test results and whether the objectives and criteria specified during the design and development phase have been met. If there is a failure, the reasons for the failure and its correction shall be documented. |
During the integration and testing, any modifications or change to the E/E/PE safety- related system shall be subject to an impact analysis which shall identify all subsystems and elements affected and the necessary re-verification activities. |
Requirement: EN-61508-2 clause 7.5.2.6: E/E/PE system integration testing informational requirements EN_61508_2_7_5_2_6
|
The E/E/PE system integration testing shall document the following information: a) the version of the test specification used; b) the criteria for acceptance of the integration tests; c) the version of the E/E/PE safety-related system being tested; d) the tools and equipment used along with calibration data; e) the results of each test; f) any discrepancy between expected and actual results; g) the analysis made and the decisions taken on whether to continue the test or issue a change request, in the case when discrepancies occur. |
Requirement: EN-61508-2 clause 7.5.2.7: avoidance of faults during E/E/PE system integration EN_61508_2_7_5_2_7
|
For the avoidance of faults during the E/E/PE system integration, an appropriate group of techniques and measures according to Table B.3 shall be used. |
Requirement: EN-61508-2 clause 7.6.2.1: E/E/PE system operation and maintenance procedures specifications EN_61508_2_7_6_2_1
|
E/E/PE system operation and maintenance procedures shall be prepared. They shall specify the following: a) the routine actions that need to be carried out to maintain the as-designed functional safety of the E/E/PE safety-related system, including routine replacement of elements with a pre-defined life, for example cooling fans, batteries; etc. b) the actions and constraints that are necessary (for example, during installation, start-up, normal operation, routine testing, foreseeable disturbances, faults or failures, and shut- down) to prevent an unsafe state and/or reduce the consequences of a harmful event; c) the documentation that needs to be maintained on system failure and demand rates on the E/E/PE safety-related system; d) the documentation that needs to be maintained showing results of audits and tests on the E/E/PE safety-related system; e) the maintenance procedures to be followed when faults or failures occur in the E/E/PE safety-related system, including:
f) the procedures for reporting maintenance performance shall be specified. In particular:
g) the tools necessary for maintenance and revalidation and procedures for maintaining the tools and equipment. |
Requirement: EN-61508-2 clause 7.6.2.2: E/E/PE safety-related system operation and maintenance procedures shall be continuously upgraded EN_61508_2_7_6_2_2
|
The E/E/PE safety-related system operation and maintenance procedures shall be continuously upgraded from inputs such as (1) the results of functional safety audits and (2) tests on the E/E/PE safety-related system. |
Requirement: EN-61508-2 clause 7.6.2.3: E/E/PE safety-related system operation and maintenance procedures shall be continuously upgraded EN_61508_2_7_6_2_3
|
The routine maintenance actions required to maintain the required functional safety (as designed) of the E/E/PE safety-related system shall be determined by a systematic method. This method shall determine unrevealed failures of all safety-related elements (from sensors through to final elements) that would cause a reduction in the safety integrity achieved. Suitable methods include:
|
Requirement: EN-61508-2 clause 7.6.2.4: E/E/PE system operations and maintenance procedures EN_61508_2_7_6_2_4
|
The E/E/PE system operation and maintenance procedures shall be assessed for the impact they may have on the EUC. |
Requirement: EN-61508-2 clause 7.6.2.5: avoidance of faults and failures during E/E/PE system operation and maintenance procedures EN_61508_2_7_6_2_5
|
For the avoidance of faults and failures during the E/E/PE system operation and maintenance procedures, an appropriate group of techniques and measures according to Table B.4 shall be used. |
Requirement: EN-61508-2 clause 7.7.2.1: validation in accordance with a prepared plan (7.7 of IEC 61508-3) EN_61508_2_7_7_2_1
|
The validation of the E/E/PE system safety shall be carried out in accordance with a prepared plan (see also 7.7 of IEC 61508-3). |
Requirement: EN-61508-2 clause 7.7.2.2: test measurement equipment used for validation shall be calibrated EN_61508_2_7_7_2_2
|
All test measurement equipment used for validation shall be calibrated against a standard traceable to a national standard, if available, or to a well-recognised procedure. All test equipment shall be verified for correct operation. |
Requirement: EN-61508-2 clause 7.7.2.3: all E/E/PE system safety requirements shall be validated by test/analysis EN_61508_2_7_7_2_3
|
The adequate implementation of each safety function specified in the E/E/PE system safety requirements (see 7.10 of IEC 61508-1), the E/E/PE system design requirements (see 7.2), and all the E/E/PE system operation and maintenance procedures shall be validated by test and/or analysis. If adequate independence or decoupling between individual elements or subsystems cannot be demonstrated analytically, the related combinations of functional behaviour shall be tested. |
Requirement: EN-61508-2 clause 7.7.2.4: test measurement equipment calibration during validation EN_61508_2_7_7_2_4
|
All test measurement equipment used for validation shall be calibrated against a standard traceable to a national standard, if available, or to a well-recognised procedure. All test equipment shall be verified for correct operation. |
When discrepancies occur (i.e. the actual results deviate from the expected results by more than the stated tolerances), the results of the E/E/PE system safety validation testing shall be documented, including: a) the analysis made; and b) the decision taken on whether to continue the test or issue a change request and return to an earlier part of the validation test. |
Requirement: EN-61508-2 clause 7.7.2.6: results shall be available for validation testing EN_61508_2_7_7_2_6
|
The supplier or developer shall make available results of the E/E/PE system safety validation testing to the developer of the EUC and the EUC control system so as to enable them to meet the requirements for overall safety validation in IEC 61508-1. |
For the avoidance of faults during the E/E/PE system safety validation an appropriate group of techniques and measures according to Table B.5 shall be used. |
Requirement: EN-61508-2 clause 7.8.2.1: documentation for each E/E/PE system modification activity EN_61508_2_7_8_2_1
|
Appropriate documentation shall be established and maintained for each E/E/PE system modification activity. The documentation shall include: a) the detailed specification of the modification or change; b) an analysis of the impact of the modification activity on the overall system, including hardware, software (see IEC 61508-3), human interaction and the environment and possible interactions; c) all approvals for changes; d) progress of changes; e) test cases for subsystems and elements including revalidation data; f) E/E/PE system configuration management history; g) deviation from normal operations and conditions; h) necessary changes to system procedures; i) necessary changes to documentation |
Requirement: EN-61508-2 clause 7.8.2.2: compliance for manufacturers or system suppliers EN_61508_2_7_8_2_2
|
Manufacturers or system suppliers that claim compliance with all or part of this standard shall maintain a system to initiate changes as a result of defects being detected in hardware or software and to inform users of the need for modification in the event of the defect affecting safety. |
Modifications shall be performed with at least the same level of expertise, automated tools (see 7.4.4.2 of IEC 61508-3), and planning and management as the initial development of the E/E/PE safety-related systems. |
Requirement: EN-61508-2 clause 7.8.2.4: reverification/revalidation after modification EN_61508_2_7_8_2_4
|
After modification, the E/E/PE safety-related systems shall be reverified and revalidated. |
The verification of the E/E/PE safety-related systems shall be planned concurrently with the development (see 7.4), for each phase of the E/E/PE system safety lifecycle, and shall be documented. |
The E/E/PE system verification planning shall refer to all the criteria, techniques and tools to be utilised in the verification for that phase. |
The E/E/PE system verification planning shall specify the activities to be performed to ensure correctness and consistency with respect to the products and standards provided as input to that phase. |
The E/E/PE system verification planning shall consider the following: a) the selection of verification strategies and techniques; b) the selection and utilisation of the test equipment; c) the selection and documentation of verification activities; d) the evaluation of verification results gained from verification equipment direct and from tests. |
Requirement: EN-61508-2 clause 7.9.2.5: design and development phase requirements EN_61508_2_7_9_2_5
|
In each design and development phase it shall be shown that the functional and safety integrity requirements are met. |
Requirement: EN-61508-2 clause 7.9.2.6: documentation of each verification activity EN_61508_2_7_9_2_6
|
The result of each verification activity shall be documented, stating either that the E/E/PE safety-related systems have passed the verification, or the reasons for the failures. The following shall be considered: a) items that do not conform to one or more relevant requirements of the E/E/PE system safety lifecycle (see 7.2); b) items that do not conform to one or more relevant design standards (see 7.4); c) items that do not conform to one or more relevant safety management requirements (see Clause 6). |
For E/E/PE system design requirements verification, after E/E/PE system design requirements have been established (see 7.2), and before the next phase (design and development) begins, verification shall: a) determine whether the E/E/PE system design requirements are adequate to satisfy the E/E/PE system safety requirements specification (see 7.10 of IEC 61508-1) for safety, functionality, and other requirements specified during safety planning; and b) check for incompatibilities between:
|
For E/E/PE system design and development verification, after E/E/PE system design and development (see 7.4) has been completed and before the next phase (integration) begins, verification shall: a) determine whether the E/E/PE system tests are adequate for the E/E/PE system design and development; b) determine the consistency and completeness (down to and including module level) of the E/E/PE system design and development with respect to the E/E/PE system safety requirements (see 7.10 of IEC 61508-1); and c) check for incompatibilities between:
|
Requirement: EN-61508-2 clause 7.9.2.9: integration of E/E/PE safety-related system EN_61508_2_7_9_2_9
|
For E/E/PE system integration verification, the integration of the E/E/PE safety- related system shall be verified to establish that the requirements of 7.5 have been achieved. |
Test cases and their results shall be documented. |