9 Test requirements
9.1
Planning of tests
9.2 Functional testing
9.3 Electromagnetic (EM) immunity testing
9.3.1
General
9.3.2 Intended EM environment
9.3.3 Performance criterion (fail safe state – FS)
9.4 Thermal immunity testing
9.4.1
General
9.4.2 Functional thermal test
9.4.3 Component thermal test
9.5 Mechanical immunity testing
9.5.1
General
9.5.2 Vibration test
9.5.3 Shock test
9.5.4 Performance criterion for mechanical immunity tests (fail safe state –FS)
9.6 Test documentation
9 Test requirements
9.1 Planning of tests
Testing of the safety sub-functions of the PDS(SR) shall be planned concurrently with each phase of the development process.
The test plan shall be documented, and shall include a detailed description of:
a) the functional testing of each safety sub-function;
b) the functional testing of each diagnostic function for each safety sub-function; (fault insertion testing);
c) the environmental testing of each safety sub-function for immunity to each of the following environmental stresses:
1 ) electromagnetic (EM)
2) thermal
3) mechanical (shock & vibration)
d) the acceptance criteria.
Tests may be either “black-box”, where no account is taken of the internal implementation of the safety sub-function, or “white-box”, where specific knowledge of the implementation is used to determine the test (for example, fault insertion).
Tests may be waived or replaced by other verification or validation methods if permitted by the relevant requirements.
NOTE When it is difficult to perform safety sub-function tests on the complete PDS(SR) because of e.g. size, parts of the PDS(SR) that are considered to be safety-relevant can be tested individually.
9.2 Functional testing
Functional testing of each safety sub-function, including related diagnostics (fault insertion testing), shall be performed.
9.3 Electromagnetic (EM) immunity testing
9.3.1 General
The performance criterion that shall be applied when performing EM immunity tests on the PDS(SR) is specified in 9.3.3. This criterion does not apply to the normal (non-safety related) functions of the equipment.
NOTE Functional electromagnetic compatibility (EMC) of the PDS(SR) is achieved when it complies with the requirements of IEC 61800-3.
9.3.2 Intended EM environment
Where the EM environment is not known or not declared by the PDS(SR) manufacturer or the intended environment is the second environment, the PDS(SR) shall be verified to the immunity requirements given in the second environment columns of Tables E.1 , E.2 and E.3.
When the environment of the intended use of the PDS(SR) is the first environment, the PDS(SR) shall be verified to the immunity requirements given in the first environment columns of Tables E.1 and E.3.
The performance criterion of 9.3.3 shall be applied.
The specified mitigation measures shall be in place during the tests to verify their effectiveness.
9.3.3 Performance criterion (fail safe state – FS)
The following performance criterion shall be satisfied while the PDS(SR) exercises all safety-related hardware parts during the tests. The behaviour of non-safety related functions of the PDS(SR) are not considered, unless non-safety related components are used as indicators of the safety sub-functions and have been verified to be operating properly.
Additionally no hazards shall be introduced by the PDS(SR) when the EM immunity tests are applied.
Safety sub-functions of the PDS(SR):
– do not deviate outside their specified limits for functional safety (equal to criterion A of IEC 61800-3), or
– may deviate temporarily or permanently outside their specified limits for functional safety if the PDS(SR) reacts to the EM disturbance in such a way that a defined safe state (fail safe state) of the PDS(SR) is maintained or achieved within the specified maximum fault reaction time.
Permanent degradation of the safety sub-function or destruction of components is permitted provided a defined safe state shall be maintained or achieved within the specified maximum fault reaction time.
This criterion applies to all EM phenomena relevant to the PDS(SR) in its intended application.
9.4 Thermal immunity testing
9.4.1 General
Thermal immunity testing of each safety sub-function, including related diagnostics, shall be performed.
9.4.2 Functional thermal test
The test shall be performed according to the temperature rise test of IEC 61800-5-1 :2007 to determine that each safety sub-function of the PDS(SR) works properly under the rated temperature operating conditions.
9.4.3 Component thermal test
For all components of each safety sub-function, the component manufacturer’s specified maximum operating temperature shall not be exceeded during the test.
NOTE 1 Testing whether all safety-related components are operated in the specified temperature range when the PDS(SR) is applied to its specified minimum and maximum ambient temperatures can be performed at a lower temperature than the rated maximum ambient air temperature of the PDS(SR). The maximum temperatures attained during testing can be corrected to the maximum rated ambient temperature for the PDS(SR) by adding the difference between the ambient temperature during the test and the maximum rated ambient temperature for the PDS(SR).
NOTE 2 IEC 61800-5-1 provides information regarding thermal test methods.
9.5 Mechanical immunity testing
9.5.1 General
Shock and vibration immunity testing of each safety sub-function, including related diagnostics, shall be performed.
9.5.2 Vibration test
Testing shall be performed according to the test conditions of the vibration test of IEC 61800-5-1 :2007, except that the PDS(SR) shall be powered and each safety sub-function shall be verified while operating.
9.5.3 Shock test
Testing shall be performed according to the test conditions of the shock test of IEC 61800-2:201 5, except that the PDS(SR) shall be powered and each safety sub-function shall be verified while operating.
9.5.4 Performance criterion for mechanical immunity tests (fail safe state – FS)
Safety sub-functions of the PDS(SR):
– do not deviate outside their specified limits for functional safety, or
– may deviate temporarily or permanently outside their specified limits for functional safety if the PDS(SR) reacts to the mechanical disturbance in such a way that a defined safe state (fail safe state) of the PDS(SR) is maintained or achieved within the specified maximum fault reaction time.
9.6 Test documentation
During PDS(SR) testing for safety sub-functions, the following details shall be documented:
a) the version of the test plan used;
b) the criteria for acceptance of tests;
c) the model and version of the PDS(SR) being tested;
d) the tools and equipment used along with calibration data;
e) the conditions of the test;
f) the test personnel;
g) the detailed results of each test;
h) any discrepancy between expected and actual results;
i) the pass/fail status of the test. If the test has failed, the mode of failure shall be documented.
|