C.2 Determination of diagnostic coverage factors
In the calculation of diagnostic coverage for an element (see C.1) it is necessary to estimate, for each component or group of components, the fraction of dangerous failures that are detected by the diagnostic tests. The diagnostic tests that can contribute to the diagnostic coverage include, but are not limited to:

– comparison checks, for example monitoring and comparison of redundant signals;

– additional built-in test routines, for example checksums on memory;

– test by external stimuli, for example sending a pulsed signal through control paths;

– continuous monitoring of an analogue signal, for example, to detect out of range values indicative of sensor failure.

In order to calculate diagnostic coverage it is necessary to determine those failure modes that are detected by the diagnostic tests. It is possible that open-circuit or short-circuit failures for simple components (resistors, capacitors, transistors) can be detected with a coverage of 1 00 %. However, for more complex type B elements, see 7.4.4.1.3, account should be taken of the limitations to diagnostic coverage for the various components shown in Table A.1. This analysis shall be carried out for each component, or group of components, of each element and for each element of the E/E/PE safety-related system.

NOTE 1 Tables A.2 to A.14 recommend techniques and measures for diagnostic tests and recommend maximum diagnostic coverage that can be claimed. These tests may operate continuously or periodically (depending on the diagnostic test interval). The tables do not replace any of the requirements of this annex.

NOTE 2 Diagnostic tests can provide significant benefits in the achievement of functional safety of an E/E/PE safety-related system. However, care must be exercised not to unnecessarily increase the complexity which, for example, may lead to increased difficulties in verification, validation, functional safety assessment, and maintenance and modification activities. Increased complexity may also make it more difficult to maintain the long-term functional safety of the E/E/PE safety-related system.

The calculations to obtain the diagnostic coverage, and the ways it is used, assume that the EUC can operate safely in the presence of an otherwise dangerous fault that is detected by the diagnostic tests. If this assumption is not correct then the E/E/PE safety-related system shall be treated as operating in a high demand or a continuous mode of operation (see 7.4.8.3, 7.4.5.3 and 7.4.5.4).

NOTE 3 The definition of diagnostic coverage is given in 3.8.6 of IEC 61 508-4. It is important to note that alternative definitions of the diagnostic coverage are sometimes assumed but these are not applicable within this standard.

NOTE 4 The diagnostic tests used to detect a dangerous failure within an element may be implemented by another element within the E/E/PE safety-related system.

NOTE 5 Diagnostic tests may operate either continuously or periodically, depending on the diagnostic test interval. There may be some cases or times where a diagnostic test should not be run due to the possibility of a test affecting the system state in an adverse manner. In this case, no benefits in the calculations may be claimed
from the diagnostic tests.