Functional safety of electrical/electronic/programmable electronic safety-related systems –
Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
Annex B
(normative)
Techniques and measures for E/E/PE safety-related systems – avoidanceof systematic failures during the different phases of the lifecycle
Tables B.1to B.5 in this annex recommend, for each safety integrity level, techniques and measures to avoid failures in E/E/PE safety-related systems. More information about the techniques and measures can be found in Annex B of IEC 61 508-7. Requirements for measures to control failures during operation are given in Annex A and described in Annex A of IEC 61 508-7.
It is not possible to list every individual cause of systematic failures, originating throughout the safety life cycle, or every remedy, for two main reasons:
– the effect of a systematic fault depends on the lifecycle phase in which it was introduced; and
– the effectiveness of any single measure to avoid systematic failures depends on the application.
A quantitative analysis for the avoidance of systematic failures is therefore impossible.
Failures in E/E/PE safety-related systems may be categorised, according to the lifecycle phase in which a causal fault is introduced, into:
– failures caused by faults originating before or during system installation (for example, software faults include specification and program faults, hardware faults include manufacturing faults and incorrect selection of elements); and
– failures caused by faults originating after system installation (for example random
hardware failures, or failures caused by incorrect use).
In order to avoid or control such failures when they occur, a large number of measures are normally necessary. The structure of the requirements in Annexes A and B results from dividing the measures into those used to avoid failures during the different phases of the E/E/PE system safety lifecycle (this annex), and those used to control failures during operation (Annex A). The measures to control failures are built-in features of the E/E/PE safety-related systems, while the measures to avoid failures are performed during the safety lifecycle.
In Tables B.1to B.5, recommendations are made and requirements are given by safety integrity level, stating firstly the importance of the technique or measure and secondly the effectiveness required if it is used. The importance is signified as follows:
– M: the technique or measure is required (mandatory) for this safety integrity level.
– HR: the technique or measure is highly recommended for this safety integrity level. If this technique or measure is not used then the rationale behind not using it shall be detailed;
– R: the technique or measure is recommended for this safety integrity level.
– -: the technique or measure has no recommendation for or against being used;
– NR: the technique or measure is positively not recommended for this safety integrity level. If this technique or measure is used then the rationale behind using it shall be detailed;
The required effectiveness is signified as follows:
– Low: if used, the technique or measure shall be used to the extent necessary to give at least low effectiveness against systematic failures;
– Medium: if used, the technique or measure shall be used to the extent necessary to give at least medium effectiveness against systematic failures;
– High: the technique or measure shall be used to the extent necessary to give high
effectiveness against systematic failures.
NOTE Most of the measures in Tables B.1to B.5 can be used with varying effectiveness according to Table B.6, which gives examples for low and high effectiveness. The effort required for medium effectiveness lies somewhere between that specified for low and for high effectiveness.
If a measure is not mandatory, it is in principle replaceable by other measures (either
individually or in combination); this is governed by the shading, as explained in each table.
Following the guidelines in this annex does not guarantee by itself the required safety integrity. It is important to consider the following:
– the consistency of the chosen techniques and measures, and how well they will
complement each other;
– which techniques and measures are appropriate, for every phase of the development lifecycle; and
– which techniques and measures are most appropriate for the specific problems
encountered during the development of each different E/E/PE safety-related system.
