Annex G
(informative)
Systematic failure
G.1 General
This Annex provides guidance on measures to control and avoid systematic failures during the design
and integration of SRP/CS.
G.2 Measures for the control of systematic failures
The following measures should be applied:
a) Use of de-energization (see ISO 13849-2:2012): The safety-related parts of the control system
(SRP/CS) should be designed so that the machine will achieve or maintain a safe state upon a power
supply loss.
c) Measures for controlling the effects of voltage breakdown, voltage variations, overvoltage,
undervoltage: SRP/CS behaviour in response to voltage breakdown, voltage variations, overvoltage,
and undervoltage conditions should be predetermined so that the SRP/CS can achieve or maintain
a safe state of the machine (see also IEC 60204-1 and IEC 61508-7:2010, A.8).
e) Measures for controlling or avoiding the effects of the physical environment (for example,
temperature, humidity, water, vibration, dust, corrosive substances, electromagnetic interference
and its effects): SRP/CS behaviour in response to the effects of the physical environment should be
predetermined so that the SRP/CS can achieve or maintain a safe state of the machine (see also, for
example, IEC 60529, IEC 60204-1).
g) Program sequence monitoring should be used with SRP/CS containing software in order to detect
defective program sequences: A defective program sequence exists if the individual elements of a
program (e.g. software modules, subprograms or commands) are processed in the wrong sequence
or period of time or if the clock of the processor is faulty (see IEC 61508-7:2010, A.9).
i) Measures for controlling the effects of errors and other effects arising from any data communication
process (see IEC 61508-2:2010, 7.4.11)
In addition, one or more of the following measures should be applied, taking into account the complexity
of the SRP/CS and its PL:
— failure detection by automatic tests;
— tests by redundant hardware;
— diverse hardware;
— operation in the positive mode;
— mechanically linked contacts;
— direct opening action;
— oriented mode of failure;
— over-dimensioning by a suitable factor, where the manufacturer can demonstrate that derating
improves reliability.
NOTE Examples for over-dimensioning see ISO 13849-2:2012, Table D.2.
G.3 Measures for avoidance of systematic failures
The following measures should be applied:
a) Use of suitable materials and adequate manufacturing;
Selection of material, manufacturing methods and treatment in relation to, e.g. stress, durability,
elasticity, friction, wear, corrosion, temperature, conductivity, dielectric rigidity.
b) Correct dimensioning and shaping;
Consideration of e.g. stress, strain, fatigue, temperature, surface roughness, tolerances,
manufacturing.
c) Proper selection, combination, arrangements, assembly and installation of components, including
cabling, wiring and any interconnections;
Apply appropriate standards and manufacturer’s application notes, e.g. catalogue sheets,
installation instructions, specifications, and use of good engineering practice.
d) Compatibility;
Use components with compatible operating characteristics.
NOTE Components such as hydraulic or pneumatic valves can require cyclic switching to avoid failure
by non-switching or unacceptable increase in switching times. In this case a periodic test is necessary.
e) Withstanding specified environmental conditions;
Design the SRP/CS so that it is capable of working in all expected environments and in any
foreseeable adverse conditions, e.g. temperature, humidity, vibration and electromagnetic
interference (EMI) (see ISO 13849-2:2012, D.2).
f) Use of components designed to an appropriate standard and having well-defined failure modes.
To reduce the risk of undetected faults by the use of components with specific characteristics
(see IEC 61508-7:2010, B.3.3).
In addition, one or more of the following measures should be applied, taking into account the complexity
of the SRP/CS and its PL:
— Hardware design review (e.g. by inspection or walk-through);
To reveal by reviews and analysis discrepancies between the specification and implementation.
— Computer-aided design tools capable of simulation or analysis;
Perform the design procedure systematically and include appropriate automatic construction
elements that are already available and tested.
— Simulation.
Perform a systematic and complete inspection of an SRP/CS design in terms of both the functional
performance and the correct dimensioning of their components.
G.4 Measures for avoidance of systematic failures during SRP/CS integration
The following measures should be applied during integration of the SRP/CS:
— functional testing;
— project management;
— documentation.
In addition, black-box testing should be applied, taking into account the complexity of the SRP/CS and
its PL.
G.5 Management of functional safety
A functional safety plan should be drawn up and documented for each SRP/CS design project, and should
be updated as necessary. The functional safety plan is intended to provide measures for preventing
incorrect specification, implementation, or modification issues.
The functional safety plan should identify the relevant activities (see Figure 4, Iterative process for
design of SRP/CS) and should be adapted to the project.
NOTE 1 The functional safety plan can be part of other design documents.
NOTE 2 The content of the functional safety plan depends upon the specific circumstances, which can include:
— size of project;
— degree of complexity;
— degree of novelty of design and technology;
— degree of standardization of design features;
— possible consequence(s) in the event of failure.
In particular the functional safety plan should:
a) identify the relevant activities in the SRP/CS design process (specification, design, integration,
analysis, testing, verification, validation) and details of when they should take place;
b) identify the roles and resources necessary for carrying out and reviewing each of these activities
c) identify procedures for release, configuration, documentation and modification of hardware and
software design;
d) establish a validation plan (see 10.1.2);
e) identify relevant activities before carrying out any modification.
In addition, black-box testing should be applied, taking into account the complexity of the SRP/CS and
its PL.
NOTE 3 The request for a modification can arise from, for example:
— safety requirements specification changed;
— conditions of actual use;
— incident/accident experience;
— change of material processed;
— obsolescence;
— modifications of the machine or of its operating modes.
The effect of the requested modification should be analysed to establish the effect on the safety function.
All accepted modifications that have an effect on the SRP/CS should initiate a return to an appropriate
design phase for its hardware and/or for its software (e.g. specification, design, integration, installation,
commissioning, and validation). All subsequent phases and management procedures should then be
carried out in accordance with the procedures specified for the specific phases in this document. All
relevant documents should be revised, amended and reissued accordingly.
|