10.1General
The manufacturer of an SCS and the manufacturer of subsystems shall prepare the relevant
technical documentation in 10.2 and information for use in 10.3.
The documentation shall demonstrate the procedure that has been followed and the results that
have been received.
The documentation shall be subject to version control.
The documentation shall contain information relevant to the safety-related part:
– safety function(s) provided by the SCS according to Clause 5 or the safety sub-function
provided by the SCS subsystem;
NOTE 1Only safety functions which are required by the specific application need to be considered.
– if the design includes the subsystem design (see Clause 7), then the technical
documentation shall:
• cover the test or analysis of fault behaviour leading to a loss of the safety function or
• refer to a qualified example (e.g. an application note);
– the characteristics of each safety function according to 5.2;
– proof test procedures when proof testing is defined for the SCS;
– environmental conditions;
– measures against systematic failure (e.g. within generic design rules completed by elements
within the risk assessment document);
– software documentation according to Clause 8;
NOTE 2 In general, this documentation is foreseen as being for the manufacturer’s internal purposes and will not
be distributed to the machine user.
If well-tried components are used, the documentation of these components shall include
following aspects:
– version, component and application description,
– application specific information
• use limits for the component to be regarded as well-tried,
• suitability analysis: e.g. functional behaviour, accuracy, behaviour in the case of a fault,
time response, usability and maintainability,
• required testing,
– when based on past use for the demonstration of equivalence between the intended
operation and the previous operation experience, an impact analysis on the differences
between past use case and current situation shall be present.
Table 9 summarizes the documentation to be available, where appropriate.
Refer to Annex I which provides example of activities, documents and roles.
10.3 Information for use of the SCS
10.3.1.1Overview
The information for use of the SCS shall provide relevant information for installation, use and
maintenance. This shall include a comprehensive description of the equipment, installation and
mounting as follows.
10.3.1.2 Specification of safety integrity
Specific information shall be provided on the safety integrity of the SCS, as follows:
– SIL 1, 2 or 3,
– if relevant, architectural constraints of the subsystem(s).
10.3.1.3 SCS and subsystems
SCS are typically designed and implemented as a safety-related system by a machine
manufacturer using available separate subsystems.
Subsystems are typically manufactured and placed on the market as a complete device ready
for use.
Therefore, there are different requirements for the information for use that apply to the
manufacturer of the machine or the manufacturer of the subsystems. A manufacturer of a
machine can also have the role of a manufacturer of the SCS subsystem.
10.3.2 Information for use given by the manufacturer of subsystems
The principles of ISO 12100:2010, 6.4 and the applicable sections of other relevant documents
(e.g. IEC 60204-1:2016, Clause 17), shall be applied.
In particular, the manufacturer of a subsystem shall indicate in the instructions that information
which is important for the safe installation, use and maintenance of the subsystem. This shall
include, but is not limited to, the following:
a) description of the subsystem including:
– general description of the subsystem and its function;
– installation instructions;
– interfacing requirements;
– configuration, settings or programming information, where applicable a statement of the
intended use of the subsystem and any measures that can be necessary to prevent
reasonably foreseeable misuse;
b) information on operating limits of the subsystem including:
– specification of environmental limits, e.g. temperature, lighting, vibration, noise,
atmospheric contaminants;
– specification of interfacing limits, e.g. electrical, hydraulic, pneumatic or mechanical
characteristics;
– specification of any other limits relevant to the intended safety functionality, e.g.
operating frequency, strength, range;
c) a description of any fault exclusions essential for maintaining the intended safety integrity.
Appropriate information (e.g. for modification, maintenance and repair) shall be given to
ensure the continued justification of the fault exclusion(s);
d) a description of any necessary measures at the subsystem to ensure that there will be no
degradation of the intended SCS function caused by a machine control system;
e) response time of the subsystem;
f) useful lifetime of the subsystem;
g) information on diagnostic functions required for correct interfacing and safe use;
h) information on indications and alarms;
i) the nature and frequency of any required inspection procedures:
j) the nature and frequency of any required test procedures, e.g. testing, whether the
diagnostic is still working;
k) provisions for the maintainability of the subsystem where relevant. All information for
maintenance shall comply with ISO 12100:2010, 6.4.5.1e). The information shall include:
– procedures for fault diagnosis and repair;
– procedures for confirming correct operation subsequent to repairs;
l) safety related parameters (e.g. PFH, PFD, SIL, … ).
10.3.3 Information for use given by the SCS integrator
T
he SCS integrator (typically the manufacturer of the machine) shall include the relevant
information in the instructions for use to enable the machine user to develop procedures to
ensure that the required functional safety of the SCS is maintained during use and maintenance
of the machine.
In particular, SCS integrator shall indicate in the instructions that information which is important
for the safe use of the SCS including information on any measures that can be necessary to
prevent reasonably foreseeable misuse.
Information for use shall include, but is not limited to, the following:
a) operating limits of the SCS (including environmental conditions);
b) clear descriptions and related instructions for the user interfaces with the SCS e.g. operator
panel, indications and alarms;
c) description of the safety functions implemented in the SCS, including description of hazards
and hazardous situation, demand mode of operation, the safe state, process safety time,
overview (block) diagram(s) and circuit diagram(s) where appropriate;
d) a description (including interconnection diagrams) of the interaction (if any) between the
SCS function (s) and the machine control system function(s);
e) marking if required, according to ISO 12100:2010, 6.4.4;
f) useful lifetime and requirements for the SCS components;
g) information related to any muting and/or suspension of safety functions;
h) any operating mode relevant to the safety function(s);
i) inspection and periodic testing where relevant (e.g. certain safety distances have to be
tested periodically) including the nature of any required test procedures, see also for details
6.9;
j) the tools necessary for maintenance and re-commissioning, and the procedures for
maintaining the tools and equipment;
k) provisions for maintenance of the SCS where relevant, including any implications for fault
exclusion. All information for maintenance shall comply with ISO 12100:2010, 6.4.5.1e).
The information shall include:
– procedures for fault diagnosis and repair, e.g. instructions for SCS functional recovery
in case of failure,
– procedures for confirming correct operation subsequent to repairs,
– preventive maintenance and corrective maintenance.
NOTE 1Periodic tests are those functional tests necessary to confirm correct operation and to detect faults.
NOTE 2 Preventive maintenance are the measures taken to maintain the required performance of the SCS.
NOTE 3 Corrective maintenance includes the measures taken after the occurrence of specific fault(s) that bring the
SCS back into the "as-designed state".