5 Specification of a safety function
5.1Objective
This clause sets out the procedures to specify the requirements of safety function(s) to be
implemented by the SCS.
5.2 Safety requirements specification (SRS)
5.2.1General
Each safety function shall be specified by:
– functional requirements specification (see 5.2.3);
– safety integrity requirements specification (see 5.2.5)
and these shall be documented in the safety requirements specification (SRS).
Where a product standard specifies the safety requirements for the design of an SCS or
subsystem (e.g. ISO 13851for two-hand control devices), these should be considered.
5.2.2 Information to be available
The following information shall be used to produce both the functional requirements
specification and safety integrity requirements specification of SCS:
– results of the risk assessment for the machine including all safety functions determined to
be necessary for the risk reduction process for each specific hazard;
– machine operating characteristics, including:
• modes of operation of machine,
• cycle time,
• response time performance,
• environmental conditions,
• interaction of person(s) with the machine (e.g. repairing, setting, cleaning);
– all information relevant to the safety function(s) which can have an influence on the SCS
design including, for example:
• a description of the behaviour of the machine that a safety function is intended to achieve
or to prevent;
• all interfaces between the safety functions, and between safety functions and any other
function (either within or outside the machine);
• required fault reaction functions of the safety function.
NOTE Some of the information might not be available or sufficiently defined before starting the iterative design
process of SCS, so the SCS safety requirements specifications can be required to be updated during the design
process.
5.2.3 Functional requirements specification
The functional requirements specification shall describe details of each safety function to be
performed including as applicable:
– a description of each safety function;
– the condition(s) (e.g. operating mode) of the machine in which the safety function shall be
active, disabled, configured or parameterized;
– the priority of those functions that can be simultaneously active and that can cause
conflicting action;
– the reset of a safety function;
– the frequency of operation of each safety function (rate of operating cycles, duty cycle);
– demand mode of operation;
NOTE 1For definitions refer to 3.2.26, 3.2.27, 3.2.28.
– the required response time of each safety function;
– the interface(s) of the safety functions to other machine functions;
NOTE 2 This could include a description of methods intended to give status information to users of the
machinery.
– a description of fault reaction function(s) and any constraints on, for example, re-starting or
continued operation of the machine in cases where the initial fault reaction is to stop the
machine;
– tests and any associated facilities (e.g. test equipment, test access ports);
– a description of the operating environment (e.g. electromagnetic immunity, temperature,
humidity, dust, chemical substances, mechanical vibration and shock);
NOTE 3 The specification of the electromagnetic environmental condition is within the scope of
IEC 61000-1-2. The electromagnetic environment is defined as the totality of electromagnetic phenomena
existing at a particular location. These phenomena can vary over time.
The electromagnetic environment is influenced by, for example:
– fixed and moving sources of electromagnetic energy,
– low, medium and high voltage equipment,
– control, signalling, communication and power systems,
– intentional radiators,
– physical processes (e.g. atmospheric discharges, switching actions),
– random or infrequent transients,
which all can produce disturbances that adversely impact the safety-related system or element under
consideration.
– rate of operating cycles, duty cycle, and/or utilisation category, for devices intended for use
in the safety function;
NOTE 4 The duty cycle of subsystems or subsystem elements can be higher than required for the safety
function, e.g. when used also for non-safety-related machine functions (the total number of cycles is to be
considered).
– other specific requirements which can impact functional safety.
5.2.4 Estimation of demand mode of operation
The demand mode of operation shall be estimated by applying the respective definitions. While
low demand mode operation is possible for a safety function, this document concentrates on
high demand and continuous mode. When demand rate is estimated to be low, a high demand
mode can be assumed by activation of the safety function at least once per year. Then apply
this document for the design. This is a straightforward application of the definition and shown in Figure 5 as a workflow
5.2.5 Safety integrity requirements specification
The safety integrity requirements for each safety function shall be derived from the risk
assessment to ensure the necessary risk reduction can be achieved. In this document, a safety
integrity requirement is expressed as a target failure measure for the PFH.
The required safety integrity for each safety function to be carried out by an SCS shall be specified in terms of SIL according to Table 3 and documented.
The determination of the required safety integrity is the result of the risk assessment and refers
to the amount of the risk reduction to be carried out by the SCS. Examples of a methodology
are given in Annex A.
NOTE 1Where a product standard specifies a required SIL for a safety function then this takes precedence over
Annex A.
NOTE 2 Further guidance on relationship between risk assessment according to ISO 12100 and product standards
is provided in ISO TR 22100-1.